locked
A question regarding SQL Injection. RRS feed

  • Question

  • User1052662409 posted

    Hi All,

    I always use parameterized  query  for my CRUD operations like below to prevent SQL Injection.

    Update tbluser Set Username =@Username.... so on
    // some code goes here
    command.Parameters.AddWithValue("@Username", txtUsername.Text);

    That works fine.

    Actually I was in a conversation  on "SQL Injection". And I found that some one is saying we can have a shortcut method for SQL Injection, even we don't need do parameterized query.

    [And he was using CRUD operation like below]

    Update tbluser Set Username ='"+txtUsername.Text+"'.... so on

    I was shocked that what is that. Then I asked him, how can we achieve this without using  parameterized query? He said we can set this in its own webconfig file (with inline query ). After that conversation ends.

    I get back to my place and tried to find out some way to by pass parameterized query using webconfig file with inline query. But unfortunately I did not find.

    Did anybody use that webconfig method? Or is there any setting regarding parameterized query in webconfig which can handle SQL Injection for whole web application.

    Please give your inputs /  suggestions. 

    Friday, March 15, 2019 8:56 AM

Answers

  • User753101303 posted

    Hi,

    The only thing I can think of is https://www.owasp.org/index.php/ASP.NET_Request_Validation which strictly speaking is unrelated to SQL injection (though a customized version could also add SQL filtering ?)

    IMHO there is no valid reason for NOT using SQL parameters. For example this kind of code prevents the use of a ' character in the string (you need anyway to pass all values through your own function to properly format them).

    If your concern is that it's a bit more verbose, you could hide this behind a thin API so that you can write things such as  (this is what EF does when you want to go back to raw SQL queries) :

    ExecuteSqlCommand("UPDATE tlbUser SET UserName=@p0 etc...",txtUserName.Text,Email.Text,UserId) for example...

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, March 15, 2019 9:22 AM