Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SqlParameter help

Posted on 2003-10-21
1
Medium Priority
?
262 Views
Last Modified: 2010-04-16
I've got a database object that I use for my connection layer and in this layer I'm attempting to involve the use of sql parameters. My problem is that I'm making it very general so that it can be easily reused.  Here is my code.

            public void Insert(Hashtable ht)
            {
                  SqlDataAdapter sd = new SqlDataAdapter();
                  sd.InsertCommand = this.myConnection.CreateCommand();
                  sd.InsertCommand.CommandText = this.sql;
                  this._addParams(sd.InsertCommand, ht);
                  sd.InsertCommand.ExecuteNonQuery();
                  
            }

            private void _addParams( SqlCommand cmd, Hashtable ht)
            {
                  IDictionaryEnumerator myEnum = ht.GetEnumerator();
                  while(myEnum.MoveNext())
                  {
                        cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());
                        cmd.Parameters["@" + myEnum.Key.ToString()].Value = myEnum.Value.ToString();
                  }
            }

My question is that normally this line:
cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());

would have 4 parameters that would include a SqlDbType parameter and a length. Because this is general I left it out. Am I still inviting sql Injection as a possible problem?  

Anyone have some ideas on how to make this more robust?

Thanks
0
Comment
Question by:jayrod
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 10

Accepted Solution

by:
ptmcomp earned 1200 total points
ID: 9592790
- You can't do SQL injection over sql parameters. Your code is safe so far.
- Provide only datareader and if needed datawriter rights to the database user.
- Your data is not typed if you do it that way.
- Test your code and try to do sql injection (e.g. 10'; shutdown; when logged in as "sa" - what you never should be...). More information here: http://www.nextgenss.com/papers/advanced_sql_injection.pdf
- The user could also do HTML/Javascript injection. Are you showing any data in the web browser? Be sure to filter or encode it.
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Extention Methods in C# 3.0 by Ivo Stoykov C# 3.0 offers extension methods. They allow extending existing classes without changing the class's source code or relying on inheritance. These are static methods invoked as instance method. This…
This article describes a simple method to resize a control at runtime.  It includes ready-to-use source code and a complete sample demonstration application.  We'll also talk about C# Extension Methods. Introduction In one of my applications…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question