Geek Answers Handbook

Is SQL injection possible if the parameter type is not set?

Does passing SQL parameters only in the stored procedure so that SQL injection does not run or type checks must also be performed?

As an example -
ADO.NET Code:

Database DBObject = DataAccess.DAL.GetDataBase(); DbCommand command = DBObject.GetStoredProcCommand("usp_UpdateDatabase"); List<DbParameter> parameters = new List<DbParameter>(); parameters.Add(new SqlParameter("@DbName", txtName.Text)); parameters.Add(new SqlParameter("@DbDesc", txtDesc.Text)); command.Parameters.AddRange(parameters.ToArray()); rowsAffected = DBObject.ExecuteNonQuery(command);

SP:

 ALTER PROCEDURE [dbo].[usp_GetSearchResults] -- Add the parameters for the stored procedure here @DbName NVARCHAR(50) = '' ,@DbDesc NVARCHAR(50) = '' AS BEGIN SET NOCOUNT ON; SELECT [RegionName] ,[AppName] FROM [ApplicationComponent] WHERE [DBName] LIKE ('%' + @DbName+ '%') OR [DBDesc] LIKE ('%' + @DbDesc+ '%') END

In the code above, I mentioned any types of parameters or validation logic. Will this still precede SQL injection?

Thanks for the guide!

+4
source share
4 answers

No, that should be good. The value in the LIKE clause is still created as a string value, and is not interpreted as part of the SQL statement. It is still considered data, not code, and that is an essential part of preventing SQL injection attacks.

+8
source

Yes, this should protect you from SQL Injection.

You do not dynamically create an SQL string in your .NET code, and you do not use sp_execute to dynamically assemble and execute an SQL statement in a stored procedure.

+2
source

By default, the DbType for SQLParameter is NVarChar (according to docs ) so this is the type your parameters will have.

In any case, even if the parameters were of the wrong type, the worst thing you would have was an exception of type cast, not SQL injection.

0
source

I would suggest using typed parameters. Although the implementation will catch any AS FOR NOW injection attempt, there is no real guarantee that this will happen along the line - and I hope your application will lead to a long and prosperous life cycle ... =)

Regarding SQL Server, an MSDN article on this subject can be found here: http://msdn.microsoft.com/en-us/library/ff648339.aspx

0
source

More articles:


All Articles