SELECT FROM EXECUTE without INSERT permissions

时间:2017-07-13 21:07:54

标签: sql sql-server

My company uses software that I can write queries into but we don't have permission to use keywords like CREATE, INSERT, or UPDATE.

So I have a set of results that I acquire by using EXECUTE sp_executesql @sql on a variable that contains some dynamic sql and I need to be able to JOIN the results of that command to a previously existing query. Since I cannot use INSERT, I cannot do something like the following:

DECLARE @temp TABLE ([column definitions here])

INSERT INTO @temp 
    EXECUTE sp_executesql @sql

SELECT ...
JOIN @temp

With that being said, does anyone have an alternative solution?

1 个答案:

答案 0 :(得分:0)

您可以尝试使用OPENROWSET执行该过程并将其包装在选择中。

SELECT * INTO @TMyTable FROM OPENROWSET('SQLNCLI',
    'Server=localhost;Trusted_Connection=yes;',
    'EXEC dbo.MyStoredProc'
);

根据需要调整连接字符串。

您可以直接将其他表格加入OPENROWSET结果,在这种情况下,您不需要INSERT权限(以及SELECT ... INTO结构)。

请注意,必须在服务器上启用Ad Hoc Distributed Queries才能执行此操作。

sp_configure 'Ad Hoc Distributed Queries', 1
GO
RECONFIGURE
GO

另请注意,存储过程可以生成多个结果集。在这种情况下,OPENROWSET将仅返回第一个。

另一个问题是,如果要为此提供参数,查询将容易受到SQL注入攻击,因此应谨慎使用此方法。

相关问题
最新问题