Solved

SqlParameter help

Posted on 2003-10-21
1
235 Views
Last Modified: 2010-04-16
I've got a database object that I use for my connection layer and in this layer I'm attempting to involve the use of sql parameters. My problem is that I'm making it very general so that it can be easily reused.  Here is my code.

            public void Insert(Hashtable ht)
            {
                  SqlDataAdapter sd = new SqlDataAdapter();
                  sd.InsertCommand = this.myConnection.CreateCommand();
                  sd.InsertCommand.CommandText = this.sql;
                  this._addParams(sd.InsertCommand, ht);
                  sd.InsertCommand.ExecuteNonQuery();
                  
            }

            private void _addParams( SqlCommand cmd, Hashtable ht)
            {
                  IDictionaryEnumerator myEnum = ht.GetEnumerator();
                  while(myEnum.MoveNext())
                  {
                        cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());
                        cmd.Parameters["@" + myEnum.Key.ToString()].Value = myEnum.Value.ToString();
                  }
            }

My question is that normally this line:
cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());

would have 4 parameters that would include a SqlDbType parameter and a length. Because this is general I left it out. Am I still inviting sql Injection as a possible problem?  

Anyone have some ideas on how to make this more robust?

Thanks
0
Comment
Question by:jayrod
1 Comment
 
LVL 10

Accepted Solution

by:
ptmcomp earned 300 total points
ID: 9592790
- You can't do SQL injection over sql parameters. Your code is safe so far.
- Provide only datareader and if needed datawriter rights to the database user.
- Your data is not typed if you do it that way.
- Test your code and try to do sql injection (e.g. 10'; shutdown; when logged in as "sa" - what you never should be...). More information here: http://www.nextgenss.com/papers/advanced_sql_injection.pdf
- The user could also do HTML/Javascript injection. Are you showing any data in the web browser? Be sure to filter or encode it.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In order to hide the "ugly" records selectors (triangles) in the rowheaders, here are some suggestions. Microsoft doesn't have a direct method/property to do it. You can only hide the rowheader column. First solution, the easy way The first sol…
Introduction Hi all and welcome to my first article on Experts Exchange. A while ago, someone asked me if i could do some tutorials on object oriented programming. I decided to do them on C#. Now you may ask me, why's that? Well, one of the re…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

30 Experts available now in Live!

Get 1:1 Help Now