Project Description
For users of MS SQL Server, xp_cmdshell is a utility that we usually want to have disabled. However there are still cases where calling a command line is needed. This project provides an framework/example to make command line calls. It is not meant as an xp_cmdshell replacement but as a workaround.

This project is NOT a complete solution, but rather a near complete solution. This project is meant to provide a straightforward basis to implement a call to a specific command line utility of your chosing. All the pieces are there but which command line to call.

What should NOT be done is to allow the arbitrary passing of a command line to the assembly, this would effectively be xp_cmdshell which this SQLCLR is focused on avoiding.

What should be done is to allow as little possible to be passed into the call, in other words, if you can know the entire command line at design time, hard-code it into the SQLCLR. While I may not be a fan of hard-coding in many cases it is far better than to allow to much to be passed in. Also if you have optional parameters that may be passed in, handle them as booleans on the SQLCLR call, this way the actual command is built in a way that SQL injection is simply not possible to pass anything arbitrary to the command line.

I am not planning releases, the code presented is for your use as a basis to implement your own needs. The code as release works and shows the two calls that are useful CmdExecWithParameters and ComdExecNoParameters. There is a supporting object called OutputResults which can be used to return the output of the cmdexec call back to the SQL Server.

Last edited Feb 29, 2012 at 9:39 PM by novaconceptsltd, version 3