What are sql function possible positions in sql statement? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist

Closed 8 years ago.

Improve this question

I am looking for all the possible positions in a sql statement that a sql function can be called. It is my first time to use sql functions and in my code I need to detect whether users' input contains sql function, if so, the input is not valid.

The position in sql statement means SELECT clause or other clause like FROM, WHERE......

I am using SQL Server

So is there any suggestions for detect sql functions in a sql statement or all the possible positions for the function in a statement?

Answer 1

SQL functions are allowed in any place in a SELECT where a column is allowed, i.e. anywhere in the SELECT list, in WHERE, JOIN, GROUP BY, HAVING, ORDER BY.

You'll need a SQL parser to know for sure if it's a function...

Answer 2

If I understood your question, you are asking how and where to check about SQL code entered by the user.

Where:
I think you might need to check it in the user interface, check the textbox or files or whatever the input stream of the user is. This shall not be done in the sql server ASAIK

How:
usually you can use parameters in your SQL statements so that any value passed by the user is passed by a parameter and if it contains a SQL code, it will not be executed.