SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 SQL Server 2005 Forums
 Transact-SQL (2005)
 sql injection revisited
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

parrot
Posting Yak Master

USA
132 Posts

Posted - 01/04/2013 :  15:18:34  Show Profile  Reply with Quote
I posted a topic yesterday where I asked if the following statement is subject to sql injection.
string strSQL = "INSERT INTO Mytable (Code, inputdata)";
strSQL += " VALUES ('1234', ?)";
OleDbCommand myCommand = new OleDbCommand(strSQL, OleDbConn1);
myCommand.Parameters.Add("@mydata", OleDbType.VarChar, 6);
myCommand.Parameters["@mydata"].Value = inputdat.Text;

I was told that this is a positional parameterized code which is subject to sql injection and I should use sqlcommands instead with scalar @inputdata. However, research on the internet indicates that the use of the positional ? is valid prevention for sql injection using Oledbcommands in the same way that the use of scalar @ is used with sqlcommands. So who is right? Is the use of positional ? dangerous? I want to be sure of this before I start changing massive amounts of code.
One of my sources for this information is at https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet.
Dave

robvolk
Most Valuable Yak

USA
15639 Posts

Posted - 01/04/2013 :  16:03:16  Show Profile  Visit robvolk's Homepage  Reply with Quote
OWasp is a trustworthy source, if it's easier to use ? then go ahead.

However, please be aware of string concatenation. The safe OWasp examples don't use it, and one unsafe example does. The safest way is to have a single command:
string strSQL = "INSERT INTO Mytable (Code, inputdata) VALUES ('1234', ?)";
This improves the chance that you have a correct SQL statement and limits the possibility for inadvertent errors or injection avenues.
Go to Top of Page

tkizer
Almighty SQL Goddess

USA
35954 Posts

Posted - 01/04/2013 :  16:15:39  Show Profile  Visit tkizer's Homepage  Reply with Quote
Yeah I wasn't referring to the ? as being the problem. It was the string concatenation that I was commenting on.

Tara Kizer
Microsoft MVP for Windows Server System - SQL Server
http://weblogs.sqlteam.com/tarad/

Subscribe to my blog
Go to Top of Page

parrot
Posting Yak Master

USA
132 Posts

Posted - 01/04/2013 :  16:37:21  Show Profile  Reply with Quote
I guess I don't know why my example uses string concatenation.

string strSQL = "INSERT INTO Mytable (Code, inputdata)";
strSQL += " VALUES ('1234', ?)";
OleDbCommand myCommand = new OleDbCommand(strSQL, OleDbConn1);
myCommand.Parameters.Add("@mydata", OleDbType.VarChar, 6);
myCommand.Parameters["@mydata"].Value = inputdat.Text;

The ? is used the same as the scalar@ in sqlcommand. It points to a positional parameter doesn't it? How else would I code the above?
Go to Top of Page

robvolk
Most Valuable Yak

USA
15639 Posts

Posted - 01/04/2013 :  17:03:58  Show Profile  Visit robvolk's Homepage  Reply with Quote
string strSQL = "INSERT INTO Mytable (Code, inputdata) VALUES ('1234', ?)";
OleDbCommand myCommand = new OleDbCommand(strSQL, OleDbConn1);
myCommand.Parameters.Add("@mydata", OleDbType.VarChar, 6);
myCommand.Parameters["@mydata"].Value = inputdat.Text;
Notice it's not doing any strSQL += type stuff. That's concatenation, and that's usually where injection can sneak in. You want valid SQL statements encapsulated in a single string.

Even if concatenation yields the same result, it's still safer to reduce or eliminate its use. It's an ounce of prevention during coding. If you never concatenate, you almost guarantee against injection.
Go to Top of Page

parrot
Posting Yak Master

USA
132 Posts

Posted - 01/04/2013 :  17:08:08  Show Profile  Reply with Quote
Thanks for your feedback. In a word, do not use strSQL += anywhere just use strSQL = the whole damn string. I thought you were referring to concatenating fields rather than the instruction string. So I still have some work do to but not as much as having to convert everything from oledbcommands to sqlcommands. Thanks again.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.05 seconds. Powered By: Snitz Forums 2000