SQL Ejaculation

SQL Injection is the practice of slipping SQL code into a database execution command to get the DB to do something indirectly. Although this is a famous condition of a security vulnerability, it is less touted but more widely used by nefarious developers looking to subvert soul-crushing DBAs.

A typical example is the 1 month turnaround cycle for a new stored proc resulting in the inclusion by a developer of a "secret" stored proc that will execute whatever SQL sent to it as a string. I bring this up only because I know it is a less talked about, but very real.

The exact opposite of SQL Injection is (named by me) SQL Ejaculation. SQL Ejaculation is the practice of DBAs trying to insert their idea of view logic into an application via stored procedures.

Here is a classic example of SQL Ejaculation.

CREATE PROCEDURE sp_getCustomers
AS
SELECT "<tr><td>" + FirstName + "</td><td>" + LastName + "</td></tr>"
FROM Customer

And before you even ask, yes, people really do this. In fact, when I learned how to do it 15 years ago or so, I thought it was kind of cool. We all grow wiser, right?

2 thoughts on “SQL Ejaculation

Comments are closed.

Proudly powered by WordPress | Theme: Code Blog by Crimson Themes.