locked
Is SqlBulkCopy vulnerable to SQL Injection? RRS feed

  • Question

  • Hello Sir,

    I just want to know about that, Is SqlBulkCopy is secure or not??
    OR can we apply any one upon SQL Injection on SqlBulkCopy.??

    Thanks,

    Vasudev Choudhary

    Monday, August 3, 2015 6:52 AM

Answers

  • SqlBulkCopy uses parameterized requests to load data into the destination table so is not vulnerable to SQL injection. 

    Although not part of SqlBulkCopy, if the source object passed to the WriteToServer method (DataTable, DbDataReader, or DataRow[]) is extracted using a SQL query, that query could be vulnerable of not parameterized or constructed from an untrusted source.


    Dan Guzman, SQL Server MVP, http://www.dbdelta.com

    • Proposed as answer by Bob Beauchemin Monday, August 3, 2015 4:35 PM
    • Marked as answer by Eric__Zhang Tuesday, August 11, 2015 2:48 AM
    Monday, August 3, 2015 10:39 AM
  • Although not part of SqlBulkCopy, if the source object passed to the WriteToServer method (DataTable, DbDataReader, or DataRow[]) is extracted using a SQL query, that query could be vulnerable if not parameterized or constructed from an untrusted source.


    And this is the key: the question asked is the wrong question. It is not certain methods that are vulnerable to SQL injection. It is how you build the query strings that matter. If you build you string by concatenating values, the string is open for SQL injection. If you use a parameterised query and never include user data in the string itself, you are safe from SQL injection.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by Eric__Zhang Tuesday, August 11, 2015 2:48 AM
    Monday, August 3, 2015 9:03 PM

All replies

  • SqlBulkCopy uses parameterized requests to load data into the destination table so is not vulnerable to SQL injection. 

    Although not part of SqlBulkCopy, if the source object passed to the WriteToServer method (DataTable, DbDataReader, or DataRow[]) is extracted using a SQL query, that query could be vulnerable of not parameterized or constructed from an untrusted source.


    Dan Guzman, SQL Server MVP, http://www.dbdelta.com

    • Proposed as answer by Bob Beauchemin Monday, August 3, 2015 4:35 PM
    • Marked as answer by Eric__Zhang Tuesday, August 11, 2015 2:48 AM
    Monday, August 3, 2015 10:39 AM
  • Although not part of SqlBulkCopy, if the source object passed to the WriteToServer method (DataTable, DbDataReader, or DataRow[]) is extracted using a SQL query, that query could be vulnerable if not parameterized or constructed from an untrusted source.


    And this is the key: the question asked is the wrong question. It is not certain methods that are vulnerable to SQL injection. It is how you build the query strings that matter. If you build you string by concatenating values, the string is open for SQL injection. If you use a parameterised query and never include user data in the string itself, you are safe from SQL injection.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by Eric__Zhang Tuesday, August 11, 2015 2:48 AM
    Monday, August 3, 2015 9:03 PM