Intercept query batch from client to rewrite it or cancel it
Sometimes it is desirable to trap / intercept the batch submitted by the client (ODBC, SqlClient, etc), for various reasons, to possibly rewrite it or even cancel it.
Three instances that have been documented are found on DBA.StackEchange (and I'm sure that there are others):
https://dba.stackexchange.com/questions/84459/manipulate-sql-statement-before-execution-on-server (duplicated on Stack Overflow as: https://stackoverflow.com/questions/27320554/manipulate-sql-statement-before-execution-on-server )
AdminMicrosoft SQL Server
(Product Manager, Microsoft Azure)
shared this idea
Upvotes: 1
2 comments
-
Solomon Rutzky
commented
A new use for this feature has come up: intercepting queries from application users / Dynamic SQL to filter on patterns that indicate SQL Injection.
Perhaps this feature could:
1) be configurable per each Login and/or User.
2) filter on total number of statements in the batch (additional statements would indicate end-user manipulation)
3) allow for filtering on patterns via Regular Expressions (RegEx)
4) might need some ability to add conditional logic if the goal is to work with absolutely NO code changes (is it possible to pass in a "filter_profile" or some new connection string keyword?)I think this would be a much better approach to preventing SQL Injection as opposed to the new "Feature Restrictions" feature that was introduced in SQL Server 2019 CTP 3.2:
"URGENT: "Feature Restrictions" actually increases chances of SQL Injection and must be removed immediately (before RTM)" ( https://feedback.azure.com/forums/908035-sql-server/suggestions/38319796-urgent-feature-restrictions-actually-increases )
-
Solomon Rutzky
commented
I originally submitted this suggestion via: