Comments on: Page Internals – Investigation Proc http://sqlfool.com/2009/05/page-internals-investigation-proc/ Adventures in SQL Tuning - a blog for the rest of us Thu, 04 Feb 2010 08:21:02 -0700 http://wordpress.org/?v=2.9.1 hourly 1 By: Overhead in Non-Unique Clustered Indexes : SQL Fool http://sqlfool.com/2009/05/page-internals-investigation-proc/comment-page-1/#comment-3842 Overhead in Non-Unique Clustered Indexes : SQL Fool Thu, 21 May 2009 14:45:56 +0000 http://sqlfool.com/?p=935#comment-3842 [...] let’s take a look at the actual data pages. For this, I’m going to use my page internals proc. Execute dbo.dba_viewPageData_sp @databaseName = 'sandbox' , @tableName = [...] [...] let’s take a look at the actual data pages. For this, I’m going to use my page internals proc. Execute dbo.dba_viewPageData_sp @databaseName = ’sandbox’ , @tableName = [...]

]]> By: Jeremiah Peschka http://sqlfool.com/2009/05/page-internals-investigation-proc/comment-page-1/#comment-3298 Jeremiah Peschka Wed, 06 May 2009 19:20:17 +0000 http://sqlfool.com/?p=935#comment-3298 It seems like we're all learning today. Thanks to Adam, I now know a very very safe way to do clean up input from the outside world and use it safely in SQL. And, thanks to you, Michelle, I can now view horrifying details about SQL Server :) It seems like we’re all learning today. Thanks to Adam, I now know a very very safe way to do clean up input from the outside world and use it safely in SQL. And, thanks to you, Michelle, I can now view horrifying details about SQL Server :)

]]> By: Adam Machanic http://sqlfool.com/2009/05/page-internals-investigation-proc/comment-page-1/#comment-3297 Adam Machanic Wed, 06 May 2009 19:15:46 +0000 http://sqlfool.com/?p=935#comment-3297 Jeremiah: I prefer to wrap the QUOTENAME around PARSENAME so that the interface can handle either quoted or non-quoted identifiers as inputs. I don't believe there is a way to inject a quoted name... That's the whole point :-) Jeremiah:

I prefer to wrap the QUOTENAME around PARSENAME so that the interface can handle either quoted or non-quoted identifiers as inputs. I don’t believe there is a way to inject a quoted name… That’s the whole point :-)

]]> By: Michelle Ufford http://sqlfool.com/2009/05/page-internals-investigation-proc/comment-page-1/#comment-3296 Michelle Ufford Wed, 06 May 2009 19:14:28 +0000 http://sqlfool.com/?p=935#comment-3296 Thanks, Jeremiah and Adam! I didn't know you could do that. :) I've updated my script! Thanks, Jeremiah and Adam! I didn’t know you could do that. :)

I’ve updated my script!

]]> By: Jeremiah Peschka http://sqlfool.com/2009/05/page-internals-investigation-proc/comment-page-1/#comment-3295 Jeremiah Peschka Wed, 06 May 2009 19:11:23 +0000 http://sqlfool.com/?p=935#comment-3295 If you SET @databaseName = QUOTENAME(@databaseName, '['); you should be safe from *most* injection style attacks. I'm sure someone more cunning than I could trick their way around such a thing. If you SET @databaseName = QUOTENAME(@databaseName, ‘[‘); you should be safe from *most* injection style attacks. I’m sure someone more cunning than I could trick their way around such a thing.

]]> By: Adam Machanic http://sqlfool.com/2009/05/page-internals-investigation-proc/comment-page-1/#comment-3294 Adam Machanic Wed, 06 May 2009 19:07:52 +0000 http://sqlfool.com/?p=935#comment-3294 Why not just make it non-injectable? Just change references of @databaseName to: QUOTENAME(PARSENAME(@databaseName, 1)) Why not just make it non-injectable? Just change references of @databaseName to:

QUOTENAME(PARSENAME(@databaseName, 1))

]]>