Dynamic build query & SQL Injection & DLLs files

StackOverflow https://stackoverflow.com/questions/17971243

Question

I have read a lot of things about SQL injection and many arguments why you should avoid to build your query dynamically using plain code/concatenations within your cs.file

However, I have question and I need some advice from someone with more experience than me.

I created some DLL files in order to re-use my code in different projects and for that reason I was thinking generic.

I created these DLL files that contained all the logic/code of building SQL queries in a dynamic way + concatenation of statement. Thereafter, I add these DLL files as reference to my project.

This will be vulnerable to SQL Injection ? also is that insufficient procedure (time consuming/insufficient maintenance)?

Any advice would be appreciated.

Was it helpful?

Solution

If you are not processing your input that you are passing to your query (built at run time) you are vulnerable to SQL injection. Adding to dll or not doesn't makes any difference.

To overcome this you need to use parameterised queries. They have multiple advantages a part from security.

One reason that i can think of right now is that you have a text box. And your query is

 "select * from table1 where name = '" +  textbox1.Text;

Not lets assume that in textbox1 user enters Ehsan's. Your query will go bang and won't even execute.

Example of parameterised query

 "select * from table1 where name = @Name"
 yourCommand.Parameters.AddWithValue("@Name", textbox1.Text);

OTHER TIPS

It's difficult to know for sure but if you do something like

string sql = "SELECT Field FROM Table WHERE Field = " + Somevar;

Then you are open to SQL injection if somevar comes from input of some kind (usually user input).

There is just no reason to do it as you can just do

string sql = "SELECT Field FROM Table WHERE Field = @myvar"

You should make sure you are using parameterized queries or stored procedures, etc.

And avoid using dynamic SQL queries such as 

"SELECT * FROM Users WHERE UserID = " + UserID

as these are vulnerable to SQL Injection

Instead use a parameterized query or a stored procedure, e.g.

"SELECT * FROM Users WHERE UserID = @UserID"

Most ORMs (eg .NET's Entity Framework) will provide some protection against SQL Injection (but only if used properly)

this link explains in more detail http://www.troyhunt.com/2013/07/everything-you-wanted-to-know-about-sql.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top