BobNoobGuy BobNoobGuy - 13 days ago 6
SQL Question

Can select statement updates data in SQL Server?

I just got hand over with hundreds of SQL views, stored procedures and functions
I like to see data visually to better understand what the object does.

Can I assume if I run a select statement and execute the query - there is no chance that it modifies record/data?

I am just worry that there are some SQL tricks that can updates data via select statement.

Anything to watch out for inside the select? Any tips or keyword that I have to look out for?

Answer

A normal, basic SELECT does not modify data. However, there are a few things you should keep an eye out for.

If the code uses dynamic SQL to build a SELECT statement, you must worry about a SQL injection attack. Unless you are careful about parameterizing dynamic SQL, an attacker can do pretty much anything that the current login can do. For example, DROP TABLE, DROP DATABASE, etc. See the linked article on Wikipedia.

Furthermore, beware that a SELECT with the INTO clause can be used to create a table and insert records into it. See this question and Microsoft TechNet for more information.