Question
Basic question. If I have a form that asks a user for their name, email, and comments, and I store the entries in the database... What happens if someone types in a SQL query such as:
https://stackoverflow.com/questions/17689909
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDROP tablename
in the comments section.
@Name,
@Email,
@Comments
INSERT INTO mytable (Name, Email, Comments) VALUES (@Name, @Email, @Comments)
Is there any risk of SQL injection or am I perfectly safe?
SQL Server 2008 Stored Procedure to handle insert.
La solution
Yes, you are safe.
SQL injection works by changing the syntax of an SQL query by interpolating malicious input.
But one query parameter always substitutes for one scalar value. There's no way any malicious input can change the syntax of the query if you use parameters.
Autres conseils
You can use parameter object. It can restrict the SQL Injection. Don't use inline SQL. If you use SQL inline, check single quote("'") within the parameter.
Short answer to your question is – you are safe if you use parameters.
(comments below are a bit outside of the scope of your original question but I strongly recommend you take some time to learn more on this topic)
However this doesn’t mean you shouldn’t validate user input in any way. Even though you are safe from SQL injection failing to validate user input may lead to making your data dirty with just about anything people will insert.
Also, make sure you are using account with least privileges to improve security even more.
Here is a good article on this topic from MSDN.
