SQLBits 2022

Limiting permissions in Dynamic SQL with Execute As

Dynamic SQL is great, until it is used to hack your site. In this session we demonstrate how using the T-SQL "Execute AS" command can limit what can be run using dynamic SQL.
A tool many application developers use is dynamic SQL. But as DBAs we cringe at the security hole that opens. DBAs are well acquainted with horror stories of SQL injection, where hackers inject harmful SQL into web page text boxes: drop tables, create logins, you name it.

But there are some situations where dynamic SQL provides needed flexibility. How can we take advantage of dynamic SQL while reducing the security risks? Running dynamic SQL with a low permission user is the main tool for protecting against SQL injection

In this talk we will identify scenarios where dynamic SQL is helpful and how it allows harmful SQL to be run. I will then show how to force the dynamic SQL to run as a low permission user. We will create a low permission user in the database. We will run the dynamic code as that low permission user using the “Execute AS” command in T-SQL. We will demonstrate how this prevents the execution of high permission code.

This is one of many tools that need to be in place to secure an application using dynamic SQL.

Feedback link https://sqlb.it/?7109