sql server - How to prevent SQL injection in dynamic sql for bulk insert? -
i'm using dynamic sql bulk insert parameter (bulk insert using stored procedure).
declare @sql nvarchar(4000) = 'bulk insert tblvalues ''' + @filename + ''' ( fieldterminator ='','', rowterminator =''\n'' )'; exec(@sql); but... how avoid sql injection?
you use quotename surround file name in single quotes:
declare @sql nvarchar(4000) = 'bulk insert tblvalues ' + quotename(@filename,'''') + ' ( fieldterminator ='','', rowterminator =''\n'' )'; exec (@sql); wiki
Comments
Post a Comment