SQL Injection is the practice of slipping SQL code into a database execution command to get the DB to do something indirectly. Although this is a famous condition of a security vulnerability, it is less touted but more widely used by nefarious developers looking to subvert soul-crushing DBAs.
A typical example is the 1 month turnaround cycle for a new stored proc resulting in the inclusion by a developer of a "secret" stored proc that will execute whatever SQL sent to it as a string. I bring this up only because I know it is a less talked about, but very real.
The exact opposite of SQL Injection is (named by me) SQL Ejaculation. SQL Ejaculation is the practice of DBAs trying to insert their idea of view logic into an application via stored procedures.
Here is a classic example of SQL Ejaculation.
CREATE PROCEDURE sp_getCustomers AS SELECT "<tr><td>" + FirstName + "</td><td>" + LastName + "</td></tr>" FROM Customer
And before you even ask, yes, people really do this. In fact, when I learned how to do it 15 years ago or so, I thought it was kind of cool. We all grow wiser, right?
2 thoughts on “SQL Ejaculation”
Comments are closed.