Dynamically executing code is security-sensitive


    The "Dynamically executing code is security-sensitive" rule for SQL Server code states that dynamically executing code can be a security risk due to the possibility of malicious code being injected into the system. It is recommended that code be validated and tested before being executed to ensure that it is safe and secure. Additionally, developers should be aware of the potential security risks associated with dynamic execution and take steps to minimize them. This includes using stored procedures, parameterized queries, and input validation to prevent malicious code from being injected into the system.

Key Benefits

  • Leads to Data Theft: Dyanmically executing code can be used to run malicious code, which can lead to data theft, system breaches, and other security issues.
  • Hard to audit: It can be difficult to audit code that is dynamically executed, as it may be difficult to trace the source of the code or its purpose.
  • Difficult to debug: Debugging dynamic code can be difficult, as it may be hard to determine the source of the code or why it is not working properly.


Non-compliant Code Example

USE master;
declare @Id int;
EXEC ('USE AdventureWorks2012; SELECT BusinessEntityID, JobTitle FROM HumanResources.Employee WHERE Id = ''' + @Id + ''' ;');   --Non compliant code
Visual Expert 2024