PROCEDURE spExecuteSQL

Procedure to safely execute an SQL select statement

The procedure casts the string to lowercase (this could affect some search statements) It rejects strings continuing semicolons; It then discards duplicate blanks, xp_, sp_, fn_, and ms_ substrings. we are guarding aginst things like 'select dbo.xp_cmdshell('format c');' Then, if the 'limit' parameter is > 0 (true), we insist that the statement have a top x in it for x < 1000, or we add a TOP 1000 clause. Once the SELECT statement is transformed, it is executed and returns the answer set or an error message.
All the SQL statements are journaled into WebLog.dbo.SQLlog. EXEC dbo.spExecuteSQL('Select count(*) from PhotoObj')

Input and output parameters

name type length inout pnum

@system tinyint 1 input 7

@maxQueries smallint 2 input 8

@limit int 4 input 2

@log bit 1 input 9

@filter bit 1 input 10

@throttle bit 1 input 11

@cmd varchar -1 input 1

@webserver varchar 64 input 3

@winname varchar 64 input 4

@clientIP varchar 50 input 5

@access varchar 64 input 6

name	type	length	inout	pnum
@system	tinyint	1	input	7
@maxQueries	smallint	2	input	8
@limit	int	4	input	2
@log	bit	1	input	9
@filter	bit	1	input	10
@throttle	bit	1	input	11
@cmd	varchar	-1	input	1
@webserver	varchar	64	input	3
@winname	varchar	64	input	4
@clientIP	varchar	50	input	5
@access	varchar	64	input	6