Geek Answers Handbook

When you need to worry about SQL injection protection

Small background: I am the only programmer of this company. I work with existing structures.

However, the company has a dll (Database.dll), which contains "all the interactions I need with databases." Like in, it has Query() , Update() , Insert() , etc. Now the project that I am writing sets the link to Database.dll. My project accepts zero user input. The closest to the user is a drop-down list from which the user can select a date. Not having much experience with this, I'm curious if I still need to worry about SQL injections? And if so, will the request be written as

 var query = string.Format("SELECT timestamp FROM table1 WHERE date = \"{0}\" AND measured_dist = bit_loc AND rop > 0" , Date))

enough as a parameterized query? Keep in mind that all query execution is handled by the pre-existing Query() , which, as I was told, I need to use and cannot edit.

EDIT

This program is a WinForm application.

+6
source share
5 answers

As noted in the comments, the answer is "always." Since it would be easy to add a parameter to it and do it right, not concatenation: just do it right the first time. Also: do you think injection is not the only problem in the code you showed? This code is also subject to localization / internationalization. What happens to a user who has a PC set up in a different culture? Dates and numbers will be displayed in different ways - and will often break. This does not happen with parameters. Also: names often have apostrophes in :)

+6
source

Extend a valid @KirkWoll comment anytime you include any user input (or input from automated sources, for that matter) in a SQL statement, you put your program at risk of SQL injection.

As part of a policy, you should never create your own SQL statement using any such input.

Always sanitize input and always use parameterized queries as the first line of defense against SQL injection.

If you haven’t seen it yet, there is a big illustration on xkcd

http://xkcd.com/327/

+4
source

Given that this is WinForms, the only safe way to access the database is to use stored procedures that take parameters. Then create a user who only has access to these SPs. Everything else is unsafe.

While parameter queries work as security measures when used with web applications that may have “attacking” input, they fail when used with a local application that can be compiled and rewritten to anything. If you do not provide SP security, you are lost.

+2
source

Despite the fact that user interaction can be drop-down, it is possible for a complex attacker to insert a value that is not in the list of selected ones. So yes, you should still be wary of SQL injection.

+1
source

I would use prepared statements, even if there wasn’t such a thing as SQL injection. They are simply easier to use, and in some cases they allow the database to cache the instruction and do not need to compile it the next time you use it. Oracle does this, I think SQL Server does, I don’t know if MySQL is working.

You should always assume that there are hackers, even on internal intranet projects, I use prepared instructions, and I use nonces to prevent CSRF.

0
source

More articles:


All Articles