locked
Prevent SQL Injection RRS feed

  • Question

  • User-614943948 posted

    I have this simple query executed in custom control.

    SELECT StateID, StateName FROM State WHERE IsEnabled = 'TRUE' ORDER BY StateName

    How can I prevent SQL Injection form this code?

    Thursday, January 28, 2021 8:15 AM

Answers

  • User-821857111 posted

    That code is not susceptible to SQL injection. SQL injection is only possible if you incorporate untrusted input as part of the SQL statement e.g.:

    SELECT StateID, StateName FROM State WHERE IsEnabled = " + Request.Query["some_value"] + "' ORDER BY StateName

    Usually, this input comes from form fields and URLs. You use parameterized queries to prevent SQL injection: https://www.mikesdotnetting.com/article/113/preventing-sql-injection-in-asp-net

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 28, 2021 8:29 AM
  • User-252651875 posted

    Always follow below rules to prevent sql injection

    • Use parameterized queries (SqlCommand with SqlParameter) and put user input into parameters.
    • Don't build SQL strings out of unchecked user input.
    • Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
    • Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
    • Use stored procedures to encapsulate database operations.
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, February 4, 2021 11:23 AM

All replies

  • User-821857111 posted

    That code is not susceptible to SQL injection. SQL injection is only possible if you incorporate untrusted input as part of the SQL statement e.g.:

    SELECT StateID, StateName FROM State WHERE IsEnabled = " + Request.Query["some_value"] + "' ORDER BY StateName

    Usually, this input comes from form fields and URLs. You use parameterized queries to prevent SQL injection: https://www.mikesdotnetting.com/article/113/preventing-sql-injection-in-asp-net

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 28, 2021 8:29 AM
  • User-614943948 posted

    Thank you Mike

    Thursday, January 28, 2021 12:00 PM
  • User-252651875 posted

    Always follow below rules to prevent sql injection

    • Use parameterized queries (SqlCommand with SqlParameter) and put user input into parameters.
    • Don't build SQL strings out of unchecked user input.
    • Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
    • Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
    • Use stored procedures to encapsulate database operations.
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, February 4, 2021 11:23 AM