Skip to content

Instantly share code, notes, and snippets.

{
"name": "Get a Quote",
"intents": [
{
"intent": "AutoInsurance",
"examples": [
{
"text": "auto"
},
{
@bertwagner
bertwagner / RSSFeeds.opml
Created July 15, 2019 19:33
The OPML file of all of the SQL Server (and some other) RSS feeds I subscribe to as of 2019-07-01.
<?xml version="1.0" encoding="UTF-8"?>
<opml version="1.0">
<head>
<title>Bert's mostly SQL subscriptions in feedly Cloud</title>
</head>
<body>
<outline text="Marketing" title="Marketing">
<outline type="rss" text="Signal v. Noise" title="Signal v. Noise" xmlUrl="https://signalvnoise.com/posts.rss" htmlUrl="https://m.signalvnoise.com"/>
<outline type="rss" text="Austin Kleon" title="Austin Kleon" xmlUrl="http://feeds2.feedburner.com/AustinKleon" htmlUrl="https://austinkleon.com"/>
[{
"Label": "2015",
"Value": "2015"
}, {
"Label": "2016",
"Value": "2016"
}, {
"Label": "2017",
"Value": "2017"
}]
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
CREATE PROCEDURE dbo.sp_GetFullNameFromTableSanitized
@ParmTableName varchar(100),
@ParmUserName varchar(100)
AS
BEGIN
DECLARE @FullQuery nvarchar(1000)
SET @FullQuery = N'SELECT FullName FROM dbo.' + QUOTENAME(@ParmTableName) + ' WHERE UserName = @UserName'
DECLARE @ParmDefinition nvarchar(100) = N'@UserName varchar(100)';
CREATE PROCEDURE dbo.sp_GetFullNameFromTable
@ParmTableName varchar(100),
@ParmUserName varchar(100)
AS
BEGIN
DECLARE @FullQuery nvarchar(1000)
SET @FullQuery = N'SELECT FullName FROM dbo.@TableName WHERE UserName = @UserName'
DECLARE @ParmDefinition nvarchar(100) = N'@TableName varchar(100), @UserName varchar(100)';
-- This file tries to find stored procedures and functions that *may* be vulnerable to SQL injection attacks.
-- It works by searching your database for occurences of "+" signs followed by "@", indicating that SQL parameters
-- might be getting concatenated to a dynamic SQL string. It also checks for the existence of 'EXEC' to see if any
-- strings are being executed.
-- Not every result returned will be susceptible to SQL injection, however they should all be examined to see if they are vulnerable.
-- Originally fromn: https://github.com/bertwagner/SQLServer/blob/master/SQL%20Injection%20Vulnerabilities.sql
CREATE PROCEDURE dbo.sp_GetFullNameSafe2
@ParmUserName varchar(100)
AS
BEGIN
DECLARE @FullQuery nvarchar(1000)
SET @FullQuery = N'SELECT FullName FROM dbo.RegisteredUser WHERE UserName = @UserName'
DECLARE @ParmDefinition nvarchar(100) = N'@UserName varchar(100)';
EXEC sp_executesql @FullQuery, @ParmDefinition,
CREATE PROCEDURE dbo.sp_GetFullNameSafe
@ParmUserName varchar(100)
AS
BEGIN
SELECT FullName FROM dbo.RegisteredUser WHERE UserName = @ParmUserName
END