Do you have a comment or suggestion to improve SQL Server? We’d love to hear it!

Support parameter for the file path in BULK INSERT statement

It would be good to support a variable for the data file part of a bulk insert statement. This will prevent some cases where people write SQL injection prone code. File paths allow quotes in the file name, so it is tricky to prevent sql injection when composing dynamic sql to execute bulk insert.

Even though I would not recommend exposing bulk insert throug client facing applications you can see that people try to do this and open themselves to sql injection.

http://stackoverflow.com/questions/7306616/bulk-insert-with-filename-parameter
http://stackoverflow.com/questions/5019041/how-to-cast-variables-in-t-sql-for-bulk-insert
http://stackoverflow.com/questions/4050790/bulk-insert-using-stored-procedure

1 vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    AdminMicrosoft SQL Server (Admin, Microsoft Azure) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base