How to prevent Sql-Injection on User-Generated Sql Queries

Question

I have a project (private, ASP.net website, password protected with https) where one of the requirements is that the user be able to enter Sql queries that will directly query t

Answer 1

Plenty of answers saying that it's a bad idea but somethimes that's what the requirements insist on. There is one gotcha that I haven't spotted mentioned in the "If you have to do it anyway" suggestions though: Make sure that any update statements include a WHERE clause. It's all too easy to run

UPDATE ImportantTable
SET VitalColumn = NULL

and miss out the important

WHERE UserID = @USER_NAME

If an update is required across the whole table then it's easy enough to add

WHERE 1 = 1

Requiring the where clause doesn't stop a malicious user from doing bad things but it should reduce accidental whole table changes.