Code to Validate SQL SELECT Statement Script

Question

How can I validate SELECT statements, without executing using .Net and C#?

If the sql is not valid or if the sql is other operation than SELECT (example: alter, insert, delete, ...) I want to return error rows.

This question is very much like: Code to validate SQL Scripts. But I'm not want to accept any sql script. I want to accept only SELECT statements.

score 2 · Answer 1 · answered Aug 06 '14 at 12:22

2

Begin the statement with SET NOEXEC ON

answered Aug 06 '14 at 12:22

Nick.Mc

Thanks for help but this solve the SQL script validation. How to solve my question about SELECT? I want to validate ONLY select statements. – Jonny Piazzi Aug 06 '14 at 12:24
You could check it as per SverreN's answer, but that could be pretty unsafe. Better would be to check it as per this answer, and only ever run it under a very limited SQL user account which only had SELECT permissions. – chrisb Aug 06 '14 at 12:41
Thinking outside the box, you could ensure that the user is a read only user. Then they can never update data. Don't rely in manual parsing to exclude data changes. They could run a stored procedure that performs updates/inserts and you wouldn't know. – Nick.Mc Aug 06 '14 at 22:55

score 0 · Answer 2 · answered Aug 06 '14 at 12:30

0

Use a Regular Expression to check it:
regex = "SELECT [*] FROM [*]"

answered Aug 06 '14 at 12:30

SverreN

Good idea, but would have to be really careful that the regex used didn't allow injection vectors like comments and so on. – chrisb Aug 06 '14 at 12:38

2 Answers2