THE SQL Server Blog Spot on the Web

Welcome to - The SQL Server blog spot on the web Sign in | |
in Search

Rob Farley

- Owner/Principal with LobsterPot Solutions (a MS Gold Partner consulting firm), Microsoft Certified Master, Microsoft MVP (SQL Server), and leader of the SQL User Group in Adelaide, Australia. Rob is a former director of PASS, and provides consulting and training courses around the world in SQL Server and BI topics.

SQL Injection – the golden rule

Hi! - Great that you've found this page, but it's no longer here! You can find the content over at:

Published Tuesday, February 10, 2015 11:32 AM by Rob Farley



pmbAustin said:

Excellent post, thanks for this!  I'll be sharing this page liberally :-)

February 13, 2015 11:35 AM

KRK said:

Succinct Quote to explain SQL Injection.

Thank you.

February 19, 2015 6:45 PM

Rich said:

Found a couple of typos in your code that prevent it from executing:

"where object_id = object_id(@tablename) and name = @fitercol; "

should be @filtercol (mising the "l")

and I believe you'll need an "N" in the sp_executesql statement for the parameter @val, as sp_executesql requires Unicode parameters.

February 20, 2015 9:54 AM

Rob Farley said:

Ah yes. Thanks Rich. :)

February 20, 2015 8:37 PM
Anonymous comments are disabled

This Blog



No tags have been created or used yet.


News? Haven't you read my blog?

My Company

Can't find something?

Contact Me

Twitter: @rob_farley
Skype: rob_farley

MVP (SQL Server)


Adelaide SQL UG


Privacy Statement