Beware! SQL Injection through ADF/Pipelines

Proposed session for SQLBits 2026

TL; DR

In this lightning talk, we will explore the risks of using native SQL queries with dynamic content for Copy Activity Pipelines in Azure Data Factory (ADF). We will also discuss alternatives and mitigation steps.

Session Details

Do you ever dream of partially at fault for a enterprise-wide security incident of catastrophic magnitude? I sure hope not!

Check out this session if you have ever considered using dynamic native SQL queries with your copy activities—You should know about the potential security risks with SQL Injection and how to mitigate them.

Metadata-driven architectures in ADF/Synapse is great way to improve the agility of an implementation. If the source of the dynamic content can be tampered with, it can give a hacker, disgruntled employee or even an oblivious employee access to potentially modify, update or delete data from the data warehouse or even worse, the data source.

In this lightning talk, we will explore the risks of using native SQL queries with dynamic content for Copy Activity Pipelines in Azure Data Factory (ADF). We will also discuss alternatives and mitigation steps.

Topics:

• Risks of using native SQL queries with dynamic content
• Alternatives and risk mitigation

3 things you'll get out of this session

- Understand the security risks of dynamic native SQL in ADF copy activities - Learn how SQL injection can occur in metadata-driven architectures - Discover safer alternatives and practical mitigation strategies

Mathias Halkjaer's other proposed sessions for 2026

Fabric Data Agents and beyond - 2026

Ingesting API data with Python Notebooks - 2026

Navigating Data Modeling in Direct Lake - 2026

The Future of Data - 2026

Vibecoding examples for data professionals - 2026

Vibe-coding for the data professional - 2026

When data lies - typical patterns for manipulating data - 2026

Mathias Halkjaer's previous sessions

Nose-Dive Narratives: Slide Karaoke 2024

Get ready to wrap up a serious day of learning with a dash of humor, spontaneity, and friendly competition! SQLBits presents "Slide Karaoke" where SQLBits speakers reveal their hidden talents while vying for bragging rights. This session promises to be a one-of-a-kind experience that will leave you in stitches and awe, and the speakers scrambling for their non-existent notes!

A deep dive into Direct Lake

The new Direct Lake storage mode in Power BI promises to revolutionize data handling by blending the real-time nature of DirectQuery and the high performance of Import mode. Is this all just hype, or does Direct Lake truly deliver on these claims?

Advanced Power BI refresh with ADF/Synapse

After this session, you will be able to conceptualize and implement different Power BI refresh scheduling patterns in ADF/Synapse. You’ll learn what limitations in Power BI you can overcome with an “external” orchestration tool as well as the different building blocks available. Finally, we will go through an example implementation as well as a step-by-step demo of how you can set this up yourself.

Supercharge Power BI with Azure Synapse Analytics

In this session we will cover how to architect an end-to-end enterpise analytics platform so that we utilize the best of both worlds. The extremely versatile ETL capabilities of Synapse and the powerful data modelling in Power BI.