Solved

SqlParameter help

Posted on 2003-10-21
1
255 Views
Last Modified: 2010-04-16
I've got a database object that I use for my connection layer and in this layer I'm attempting to involve the use of sql parameters. My problem is that I'm making it very general so that it can be easily reused.  Here is my code.

            public void Insert(Hashtable ht)
            {
                  SqlDataAdapter sd = new SqlDataAdapter();
                  sd.InsertCommand = this.myConnection.CreateCommand();
                  sd.InsertCommand.CommandText = this.sql;
                  this._addParams(sd.InsertCommand, ht);
                  sd.InsertCommand.ExecuteNonQuery();
                  
            }

            private void _addParams( SqlCommand cmd, Hashtable ht)
            {
                  IDictionaryEnumerator myEnum = ht.GetEnumerator();
                  while(myEnum.MoveNext())
                  {
                        cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());
                        cmd.Parameters["@" + myEnum.Key.ToString()].Value = myEnum.Value.ToString();
                  }
            }

My question is that normally this line:
cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());

would have 4 parameters that would include a SqlDbType parameter and a length. Because this is general I left it out. Am I still inviting sql Injection as a possible problem?  

Anyone have some ideas on how to make this more robust?

Thanks
0
Comment
Question by:jayrod
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 10

Accepted Solution

by:
ptmcomp earned 300 total points
ID: 9592790
- You can't do SQL injection over sql parameters. Your code is safe so far.
- Provide only datareader and if needed datawriter rights to the database user.
- Your data is not typed if you do it that way.
- Test your code and try to do sql injection (e.g. 10'; shutdown; when logged in as "sa" - what you never should be...). More information here: http://www.nextgenss.com/papers/advanced_sql_injection.pdf
- The user could also do HTML/Javascript injection. Are you showing any data in the web browser? Be sure to filter or encode it.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question