Preventing SQL Injection without parameterized queries?

Question

I'm using ASP.NET, C# and MS SQL, I've created a rules builder page that allows users to build complex rules. This page builds what comes after the "Where" clause in a SQL call, but the rules page cannot build subqueries, order of operations, or other really complex clauses.

We want to give the option for advanced users to edit this statement, but we want to stop SQL injection attacks that can execute malicious code. We don't care if they want to put 1=1, we really care about them trying to break out to call update/delete/stored procedures, etc. So anything in MS SQL that can come after a where clause is fair.

Here is an example of an advanced query a user may want to enter that the rules generator will not build with it's dropdown menus.

Where Org in (Select Org from AnotherTable Where Manager in (1,2,3)) AND ((Person= 4 OR Level = 5) AND Entity between 5 and 10 or Entity = 15)

Is there something that's out there or free that someone can think of? I've seen one cool rule builder out there that allows this, but it's over $2000.

Answer 1

Do you really need to sanitize the query or could you just execute the query as a user with limited permissions, so that they can't access internal tables or perform mutating operations? If you only want to allow arbitrarily complex SELECT queries, then adjusting permissions may be sufficient. Depending on your environment, though, you may still need to consider other types of attacks like repeated "SELECT * FROM ReallyBigTable" as a DOS type attack.