THE SQL Server Blog Spot on the Web

Welcome to - The SQL Server blog spot on the web Sign in | |
in Search

Rob Farley

- Owner/Principal with LobsterPot Solutions (a MS Gold Partner consulting firm), Microsoft Certified Master, Microsoft MVP (SQL Server), APS/PDW trainer and leader of the SQL User Group in Adelaide, Australia. Rob is a former director of PASS, and provides consulting and training courses around the world in SQL Server and BI topics.

SQL Injection – the golden rule

Hi! - Great that you've found this page, but it's no longer here! You can find the content over at:

Published Tuesday, February 10, 2015 11:32 AM by Rob Farley

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS



pmbAustin said:

Excellent post, thanks for this!  I'll be sharing this page liberally :-)

February 13, 2015 11:35 AM

KRK said:

Succinct Quote to explain SQL Injection.

Thank you.

February 19, 2015 6:45 PM

Rich said:

Found a couple of typos in your code that prevent it from executing:

"where object_id = object_id(@tablename) and name = @fitercol; "

should be @filtercol (mising the "l")

and I believe you'll need an "N" in the sp_executesql statement for the parameter @val, as sp_executesql requires Unicode parameters.

February 20, 2015 9:54 AM

Rob Farley said:

Ah yes. Thanks Rich. :)

February 20, 2015 8:37 PM

Leave a Comment


This Blog



No tags have been created or used yet.


News? Haven't you read my blog?

My Company

Can't find something?

Contact Me

Twitter: @rob_farley
Skype: rob_farley

MVP (SQL Server)


Adelaide SQL UG

Privacy Statement