Posts by
Phil Factor

Phil Factor (real name withheld to protect the guilty), aka Database Mole, has 30 years of experience with database-intensive applications.

Despite having once been shouted at by a furious Bill Gates at an exhibition in the early 1980s, he has remained resolutely anonymous throughout his career.

He is a regular contributor to Simple Talk and SQLServerCentral.

11 January 2019

11 January 2019

The risks of using EXECUTE (‘SQL Script’)

Using dynamic SQL is unavoidable at times, but it is reckless to execute dynamic SQL that is created directly from strings that include values that change at execution time. It can allow SQL Injection and it is also inefficient. SQL Prompt’s code analysis rule, BP013 will alert you to use of Execute(<string>), to execute... Read more

22 December 2018

22 December 2018

On Quickly Investigating a SQL Monitor Custom Security Alert

I recently wrote a series of article that described four SQL Monitor custom metrics, designed purely to monitor for the signs of intrusion, or other unauthorized database changes. These metrics allow you to implement separate strategies for: Detecting SQL Injection attacks – the metric uses Extended Events to capture errors related to incorrect SQL... Read more

15 November 2018

15 November 2018

SQL Prompt Code Analysis: A Hint is Used (PE004-7)

“Because the SQL Server query optimizer typically selects the best execution plan, we recommend that hints be used only as a last resort by experienced developers and database administrators” — Microsoft SQL Server Documentation Really, there should be no discussion about this, because the above warning, in the documentation, summarizes it so well. However,... Read more