locked
SQL Injection even on using SQLParameters c# RRS feed

  • Question

  • User124127460 posted

    Hi All,

    • I have SQL Parameterized all the queries, but I am still able to find some sql injections using SQLMap tool. The code snippet used is :

      strbldr.append("select * from table1 ")
      strbldr.append("where col1=@val1 and status = '" + CONST_ACT + "'");

      htparams.add("@val1",strval1);

      CONST_ACT -- is a constant value , this is not coming from any user input value -- can this be SQL Injection prone?

      Also, the below executequery method,  is the method used right here , or is it still leaving behind something to inject.. (de-normalizing the parameterization ?)


      dataset1 = SQlhelper.ExecuteQuery(strbldr,htparams);


      Part of the ExecuteQuery method definition:
      -------------------------------

      public static DataSet ExecuteQuery(string strCommandText, Hashtable htbParameters)
      {
      SqlParameter[] objParams = null;
      IEnumerator objEnum = null;

      int iCount = 0;

      if (htbParameters != null)
      {
      objParams = new SqlParameter[htbParameters.Count];
      objEnum = htbParameters.Keys.GetEnumerator();

      while (objEnum.MoveNext())
      {

      objParams[iCount] = new SqlParameter(objEnum.Current.ToString(), Convert.ToString(htbParameters[objEnum.Current]));
      iCount = iCount + 1; 
      }
      }

      }

    Sunday, June 5, 2016 3:00 PM

All replies

  • User475983607 posted

    Is there a question in there?

    Sunday, June 5, 2016 5:22 PM
  • User1559292362 posted

    Hi anandbpatil,

    I have SQL Parameterized all the queries, but I am still able to find some sql injections using SQLMap tool.

    According to your description, I assume that SQLMap tool think it's a sql injection, which use variable instead of parameter. please modify the code like below and check it with SQLMap tool.

    strbldr.append("select * from table1 ")
     strbldr.append("where col1=@val1 and status = @status");
    
    htparams.add("@val1",strval1);
    
    htparams.add("@status",CONST_ACT);

    Best regards,

    Cole Wu

    Monday, June 6, 2016 1:05 AM
  • User124127460 posted

    CONST_ACT -- is a constant value , this is not coming from any user input value -- can this be SQL Injection prone?

    This statement with a Question mark 

    Monday, June 6, 2016 4:40 AM
  • User124127460 posted

    Thanks, I am currently trying this , will update if it works or even if it doesn't :)

    Monday, June 6, 2016 4:51 AM
  • User332523570 posted

    Hi,

    As per me, Any tool did not understand whether inputs comes from the end user or it is constant value.

    So it is good idea to have parameter for all where condition.

    Agree with Cole Wu

    Monday, June 6, 2016 5:20 AM
  • User124127460 posted

    Hi All,

    I tried parameterising the constant values, but still getting the same Injections. I am getting Stacked queries and WaitforDelay Injections using SQLMAP Tool.

    Monday, June 6, 2016 2:56 PM
  • User753101303 posted

    Hi,

    Show perhaps how you are using objParams later in your code?

    Monday, June 6, 2016 4:01 PM