What are the security implications of sp_executesql?

Posted on

Question :

By default, in SQL Server, the [public] role has EXECUTE rights on sp_executesql.

However, I’ve inherited a database server where the previous DBA has revoked the EXECUTE right on sp_executesql.

As a temporary workaround, I’ve been granting EXECUTE rights to sp_executesql on an as-needed basis (through a role in the master database). But this is beginning to be a maintenance pain.

If I grant EXECUTE back to public, are there any repercussions I need to be aware of?

Answer :

None. sp_executesql executes SQL, under exactly the same context and privileges as the original caller would execute the same SQL. There are many, many, cases when dynamic SQL is unavoidable.

Leave a Reply

Your email address will not be published. Required fields are marked *