none
SQL Injection-Protection without Parameters RRS feed

  • Question

  • Hello,

    I'm using SqlCommand to select a large number of datarows. The method, which is providing this select, has some arrays of parameters which are used to create a dynamic sql-select-string. Most of these param-arrays are ints, guids and bools - but there are some arrays of string, too.

    I'm using SqlParameters for the string-Params to avoid sql-injection. The other params are directly put into the CommandText.
    Now I got the problem, that the sum of string params inside the arrays exceeds 2100. So I reach the SQL limit of the maximum number of params.

    Is there simple way to check the content of the single string params for code injection or do i have to develop a more complex solution?

    Optimum would be a .NET framework method...

    thx in advance

    Andreas

    Monday, March 14, 2011 3:47 PM

All replies

  • I guess it is time to use session tables.



    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
    Visual C++ MVP
    Monday, March 14, 2011 9:39 PM
  • we used temporary tables in an other project to solve the maximum parameter problem with simple "is in" conditions. in my actual case the parameters are used to build more complex where-condisions. that's why i'm searching for an other solution and why I would like to check the single input-params fpr code injection and use them after that inside my command-text...
    Tuesday, March 15, 2011 7:12 AM