All geek questions in one place

Is this an Asp.net Sql Injection Code?

Problem: I have a form with text values ​​and a function that should also return a string query based on the values ​​of the text values.

Solution: I created a SQLCommand request with parameters, then I placed SQLCommand.CommandText in a string and I returned it (to the business logic that will handle the request).

Main question: sql-injection proof?

Code example:

sQuery = "select * from xy where x like '%@txtNameParameter%'"; SqlCommand cmd = new SqlCommand(sQuery); cmd.Parameters.Add("@txtNameParameter", SqlDbType.VarChar); cmd.Parameters["@txtNameParameter"].Value = txtName.Text; string query = cmd.CommandText; return query;

Sub-question, if the main question is in order: Should I also enter the values ​​of the radio lens and dropdownmenu in the parameters, or are they injectable?

+3
source share
1 answer

What you do here is evidence for injections because you are not entering anything. In fact, your parameter is not even used (because the only reference to it is inside the string literal, so SQL Parser will not even see where you are trying to use the parameter, because it will treat it as a string literal.)

You can change this line of code to:

 sQuery = "select * from xy where x like '%' +@txtNameParameter +'%'";

What would SQL look like:

 select * from xy where x like '%' +@txtNameParameter +'%'

It’s just a string concatenation at the place where a row is expected in the SQL row.

However, your description of what you do after this may hit all of this out of the water. I cannot understand why you want to send only the where clause of the request to the business layer.

Also, the WHERE subscript clause will not contain the data that you insert into the parameter. This way you do not get any more benefits that just come back

 return "where x like '%@txtNameParameter%'";

The parameter value is lost.

+5
source

Source: https://habr.com/ru/post/1200076/

More articles:


All Articles