SQL injection, and how to prevent it

SQL injection, and how to prevent it

1 Comment

For a change, a video about security, rather than performance and execution plans. Why? Well, that should become clear in my next planned videos. Although I really can’t predict when I’ll be able to record those.

What is it? And how to prevent it?

In the first approximately 12.5 minutes of the video, I try to explain the concept of what SQL injection is in the most simple and non-technical terms I could come up with. But I also show, in that analogy, what defensive measures do and do not work. And how easy it ultimately is to be safe. In the rest of the video, I then wrap that back to SQL and frontend code.

More of me?

Was this useful to you? Do you want to learn more from me?

You can click here to see an overview of my scheduled conference talks. If you attend one of those, you get a lot of other presenters and sessions thrown in as well!

To learn really everything about SQL Server execution plans, check out my video training. Over 20 hours of super high quality video content (and more will be added when ready).

Or you can hire me to fix the performance problems (and perhaps some security issues too?) on your server, or for in house training.

Hugo Kornelis
Hugo Kornelis is an established SQL Server Community expert. He writes, blogs, speaks, tech edits, and researches, focusing mostly on SQL Server performance and execution plans. He was the technical editor for the third edition of Grant Fritchey's "SQL Server Execution Plans". In 2018 he started a project to document all behaviour of SQL Server execution plans at his website, "the SQL Server Execution Plan Reference" (https://sqlserverfast.com/epr) When not working for the community, Hugo is busy at his day job: freelance database developer/consultant. Hugo has over 20 years of experience on SQL Server in various roles. He has a strong database design background but has since specialized into query tuning and execution plans.
Back in hospital
To be where I need to be

Related Posts

No results found.

1 Comment. Leave new

  • OZ
    April 2, 2026 19:00

    I think a canary table in our test environments could help matters:

    USE YourTestDatabase
    GO
    BEGIN TRY
    EXECUTE (N’CREATE TABLE [x;RAISERROR(“SQL INJECTION USING TABLE NAMES!”,17,0);] ([x;RAISERROR(“SQL INJECTION USING COLUMN NAMES!”,17,0);] tinyint)’)
    END TRY BEGIN CATCH END CATCH
    ;
    DECLARE @query NVARCHAR(4000) = ”
    ;
    SELECT @query += ‘;SELECT TOP 1 * FROM ‘ + [name]
    FROM Sys.tables
    –WHERE [name] LIKE ‘%RAISERROR%’
    ;
    PRINT (@query)
    ;
    EXECUTE (@query)
    /*
    The above could warn us of any unsafe code
    that juggles table names or column names.
    */

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hugo Kornelis

Married, father of 2 children.

Awarded 18x MVP (2006-2016; 2019-now), in the areas SQL Server and Data Platform.

Subscribe via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Archives

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close