How to Write Secure SQL Common Table Expressions? - ByteScout
  • Home
  • /
  • Blog
  • /
  • How to Write Secure SQL Common Table Expressions?

How to Write Secure SQL Common Table Expressions?

A common table expression (CTE) is a collection of query outputs. Such query outputs are collected from an uncomplicated query defined within a WITH clause and which directly leads to a SELECT or INSERT statement. A CTE occurs entirely within the range of a particular SQL statement. One or more CTEs can be utilized with the many SQL queries. Let’s take a look at it in more detail.

Writing reliable code is a constant difficulty, but it is especially important for SQL databases that would contrarily be exposed to various cyber-attacks including SQL injection attacks. The SQL queries can be one of the most significant parts of any site’s safety. So many programmers address queries that “just run” giving little attention to the wicked possibility of unsecured code.

What is Common Table Expressions (CTE)?

Common table expressions are a great characteristic of SQL. They enable users to save a passing output and execute a query after applying that output set. These can be effective when analyzing to perform a difficult method that SQL isn’t well adapted to manipulate. CTEs enable users to complete complex transactions in two different levels that make the test more straightforward to solve.

The common table expressions function just like subqueries, they have numerous advantages such as:

  • The strength to follow the same temporary output regularly over the query.
  • Enhanced readability for configuration.
  • More high-grade clarity into regularly applied result outputs that are great query results to become resistant tables/views.

Simple Example

  myaccount_lost_goods as (
    SELECT as act_id,
           COUNT(1) as lost_goods
      FROM my.orders__delivered d
      JOIN my.orders o
        ON = d.order_id
      JOIN sample.accounts s
        ON = s.account_id
     WHERE f.delivery_status = 'failure'
     GROUP BY 1


  account_total_profit as (
    SELECT x.account_id,
           SUM(x.total_amt) as totalamount
      FROM my.orders o
     GROUP BY 1

    SELECT as region,
           sr.title as sales_emp,
  as act_name,
           xyz.amount as total_profit,
      FROM sample.accounts s
      JOIN my.sales_emp sr
        ON = a.sales_emp_id
      JOIN my.region r
        ON = sr.state_id
      JOIN account_lost_goods xyz
        ON xyz.account_id =
       AND xyz.lost_goods > 1
      JOIN account_total_profit xyz
        ON xyz.account_id =
       AND xyz.amount >= 200000
     ORDER BY 1,2


How to Secure SQL CTE?

As mentioned earlier, SQL CTEs are called provisionally defined output sets. Being volatile indicates, CTE is restricted in range. The syntax is also defined as follows:

WITH <cte_title>(<column/columns>)
<inner query describing the CTE>
<outer query on CTE>

A provisional table can run within the SQL procedure’s scope or globally. But CTE’s run when the SELECT is executed. The difference between a view or a temporary table is that developers can’t reconfigure or reuse SQL CTE. The other significant thing about CTS is that it can be non-recursive or recursive.

The three major databases like MSSQL, Oracle, and MySQL all support the CTE. Not only SQL Server but also MySQL and Oracle support the idea. It is, in particular, a section of SQL-99 blueprints. While it is utilized to analyze SQL code, it does not enhance execution. And it also won’t restore subqueries and provisional tables. The following query is displaying the secure CTE.

Display all employees with their total number of orders.


WITH Sales_CTE (SalesEmpID, TotalOrders) 

            SELECT SalesEmpID, COUNT(*) 
            FROM Sales.SalesOrderTable 
            WHERE SalesEmpID IS NOT NULL 
            GROUP BY SalesEmpID

,CONCAT(X.LastName,', ',X.FirstName,' ',X.MiddleName) AS SalesEmployee
FROM Sales_CTE a
INNER JOIN Human.Human p ON a.SalesEmpID = p.BusinessDomainID


Example 2

WITH [cte_sample] AS (
SELECT 1 AS [myId], 'a id' as [label]
SELECT [myId]+1,[label]
FROM [cte_sample]
WHERE [myId] <= 20

SELECT * FROM [cte_sample]
SELECT SUM([myId]), 'sum_all' FROM [cte_sample]
SELECT SUM([myId]), 'sum_odd' FROM [cte_sample] WHERE [myId] % 2 = 1
SELECT SUM([myId]), 'total_even' FROM [cte_sample] WHERE [myId] % 2 = 0;

The above two examples are displaying that how to write a secure SQL CET. Common table expressions are a profoundly helpful program for compartmentalizing complicated SQL problems, especially when they comprise mixtures of multiple theories. Since each expression is explicitly recognized and described, debugging is much more comfortable (particularly if you’re applying highlight-to-run in Mode). Official or regular SQL does not support ORDER BY in table expressions when developers apply it for ordering the output sets. Yet, if TOP or OFFSET-FETCH is applied, ORDER BY becomes a filtering service.

Things Not Supported in a CTE

Apart from this, here are a few more important things that may not be used in a SQL CTE. These are given as follows:

  • Employing SELECT INTO, OPTION clause,
  • Using FOR BROWSE.
  • Using various data and types in the columns connected to the recursive segment strings.
  • Using the next keywords in a recursive part of a recursive CTE:
    • TOP
    • HAVING
    • GROUP BY
    • OUTER JOIN (But INNER JOIN is supported)
    • Subqueries

It is reasonable to define and apply more than one CTEs in a query. USers execute this by ordering or grouping every CTE with a comma, and they can utilize a WITH clause only when setting the first CTE.

The CTE defines a substitute identified output set, recognized as a common table expression (CTE). This is obtained from an uncomplicated query and set within the performance range of a particular SELECT, INSERT, UPDATE, DELETE or MERGE statement. This condition can also be utilized in a CREATE VIEW clause as a portion of its describing SELECT clause.

The reasoning in the SQL code with a subquery is the reverse of how coders thought about the explication. Also, recursive common table expressions (CTEs) are often utilized for the sequence creation and crossing of hierarchical data. Recursive common table expressions help traverse data that create a hierarchy.

For example, consider these queries that build a base data set that displays, for each emp in a company, the full name and ID, and the ID of the emp’s manager. In this, the CEO of a company has a manager ID or NULL (no manager). One important thing to remember here is that in CTEs, an inherited table can be called only one time within a query. A CTE can be called various times. To utilize various occurrences of a determined table output, users must obtain the result at various times.


A CTE consists of an interpretation style factoring the CTE, an arbitrary column index, and a query specifying the CTE. After a CTE is specified, it can be called a table or view in a SQL code. A CTE can also be utilized in a CREATE VIEW clause as a portion of its describing SELECT statement.


About the Author

ByteScout Team ByteScout Team of Writers ByteScout has a team of professional writers proficient in different technical topics. We select the best writers to cover interesting and trending topics for our readers. We love developers and we hope our articles help you learn about programming and programmers.