Extract SqlBulkCopy column names using dynamic SQL #3719
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -457,7 +457,7 @@ private string CreateInitialQuery() | |
| } | ||
| else if (!string.IsNullOrEmpty(CatalogName)) | ||
| { | ||
| CatalogName = SqlServerEscapeHelper.EscapeStringAsLiteral(SqlServerEscapeHelper.EscapeIdentifier(CatalogName)); | ||
| } | ||
|
|
||
| string objectName = ADP.BuildMultiPartName(parts); | ||
|
|
@@ -470,16 +470,19 @@ private string CreateInitialQuery() | |
| return $""" | ||
| SELECT @@TRANCOUNT; | ||
|
|
||
| DECLARE @Object_ID INT = OBJECT_ID('{escapedObjectName}'); | ||
| DECLARE @Column_Name_Query NVARCHAR(MAX); | ||
| DECLARE @Column_Names NVARCHAR(MAX) = NULL; | ||
| IF EXISTS (SELECT TOP 1 * FROM sys.all_columns WHERE [object_id] = OBJECT_ID('sys.all_columns') AND [name] = 'graph_type') | ||
| BEGIN | ||
| SET @Column_Name_Query = N'SELECT @Column_Names = COALESCE(@Column_Names + '', '', '''') + QUOTENAME([name]) FROM {CatalogName}.[sys].[all_columns] WHERE [object_id] = @Object_ID AND COALESCE([graph_type], 0) NOT IN (1, 3, 4, 6, 7) ORDER BY [column_id] ASC;'; | ||
|
There was a problem hiding this comment. The column query logic is duplicated between the two branches. Consider extracting the common query structure and conditionally adding the There was a problem hiding this comment. I'm happy to do this if requested - I just didn't want to raise any red flags by using T-SQL to build a SQL statement dynamically. There was a problem hiding this comment. The magic numbers (1, 3, 4, 6, 7) in the There was a problem hiding this comment. These are documented here but I agree that it's not intuitive to find; I'll add a comment when responding to the wider review. |
||
| END | ||
| ELSE | ||
| BEGIN | ||
| SET @Column_Name_Query = N'SELECT @Column_Names = COALESCE(@Column_Names + '', '', '''') + QUOTENAME([name]) FROM {CatalogName}.[sys].[all_columns] WHERE [object_id] = @Object_ID ORDER BY [column_id] ASC;'; | ||
edwardneal marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| END | ||
|
|
||
| EXEC sp_executesql @Column_Name_Query, N'@Object_ID INT, @Column_Names NVARCHAR(MAX) OUTPUT', @Object_ID = @Object_ID, @Column_Names = @Column_Names OUTPUT; | ||
| SELECT @Column_Names = COALESCE(@Column_Names, '*'); | ||
|
|
||
| SET FMTONLY ON; | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Double-escaping the catalog name (first as identifier, then as literal) may not provide the intended protection. If
CatalogNamecomes from user input, consider validating it against a whitelist of allowed database names instead of relying solely on escaping. The identifier escaping is unnecessary when the value will be embedded as a string literal in dynamic SQL.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Escaping the identifier twice is necessary because
CatalogNameis an object name which will be part of a dynamic SQL query. The inner escape handles[]in the property, the outer escape handles prevents'generating an error. In both cases, we ensure that malicious input cannot be used to inject SQL statements into the metadata query. Removing one of these escapes would be unsafe.