All geek questions in one place

Log4net log to database ... open for sql injection

Is there an acceptable way to use the log4net ado provider and protect against SQL injection? I can make my own manual twisting methods, but that seems risky to me.

Is there some kind of "DontLetPeopleOwnMyDatabase" = true setting?

our current dangerous configuration:

<appender name="ADONetAppender" type="log4net.Appender.ADONetAppender"> <threshold value="ERROR"/> <bufferSize value="1"/> <connectionType value="System.Data.SqlClient.SqlConnection, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/> <connectionString value="server=myDBServer; uid=myuserName; pwd=myPassword; database=myDatabase"/> <commandText value="INSERT INTO errorlog([message], [ServerName], [ApplicationName]) VALUES(@message, 'myServer', 'myApp')" /> <parameter> <parameterName value="@message"/> <dbType value="String"/> <size value="4000"/> <layout type="log4net.Layout.PatternLayout"> <conversionPattern value="%message"/> </layout> </parameter> </appender>
+4
source share
1 answer

Maybe I'm wrong, but you are already using parameters, so there is no risk of SQL injection. @message is passed as a separate SQL parameter using log4net, not through string concatenation.

But if you are afraid of SQL injection, what about using a stored procedure ...?

Edit Don't be afraid, dear OP. Here is the missing evidence that the log4net logging mechanism is safe for SQL injection:

Records are written to the database either using a prepared statement or using a stored procedure. The CommandType property is set to Text (System.Data.CommandType.Text) to indicate the prepared statement or StoredProcedure (System.Data.CommandType.StoredProcedure) to indicate the stored procedure.

So, prepared -> precompiled -> safe parameter assignment.

If you need more information, you can find it here .

+4
source

Source: https://habr.com/ru/post/1340659/

More articles:


All Articles