I have developed a custom web part for SharePoint and I am concerned about its security. The web part is essentially the basis of a quiz that starts with user registration; they simply enter their name and email address. For successful surveys, the result is written to the list, and these registration variables are placed directly on the list.
Should I be worried about SQL injection attacks? Is the data shielded by SharePoint before being added to the list? Or does SharePoint use named parameters with a prepared statement? Alternatively, does it just go verbatim?
Thank you for understanding.
UPDATE
I would perhaps rephrase that I am inserting code into a SharePoint list, so it will not be "directly" into the database. I'm not sure if a process is happening (especially in terms of security) when an item is inserted into a list and (I guess) into a database table somewhere. Here are some of the code I'm using:
Get user input through standard HTML input
output.Write("<div>Please enter your e-mail address</div><div><input type=\"text\" value=\"\" size=\"30\" name=\"takerEmail\"></div>");
Here's how data is inserted
using (SPSite siteSuccessWrite = new SPSite("http://www.mycompany.com")) { using (SPWeb webSuccessWrite = siteSuccessWrite.OpenWeb()) { SPList insertResults = webSuccessWrite.Lists[resultsList]; SPListItem quizEntry = insertResults.Items.Add(); quizEntry["firstName"] = firstName; quizEntry["lastName"] = lastName; quizEntry["email"] = email; quizEntry["phone"] = phone; quizEntry["department"] = dept; quizEntry["score"] = score; quizEntry.Update(); } }
source share