SqlParameter help

Posted on 2003-10-21
Medium Priority
Last Modified: 2010-04-16
I've got a database object that I use for my connection layer and in this layer I'm attempting to involve the use of sql parameters. My problem is that I'm making it very general so that it can be easily reused.  Here is my code.

            public void Insert(Hashtable ht)
                  SqlDataAdapter sd = new SqlDataAdapter();
                  sd.InsertCommand = this.myConnection.CreateCommand();
                  sd.InsertCommand.CommandText = this.sql;
                  this._addParams(sd.InsertCommand, ht);

            private void _addParams( SqlCommand cmd, Hashtable ht)
                  IDictionaryEnumerator myEnum = ht.GetEnumerator();
                        cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());
                        cmd.Parameters["@" + myEnum.Key.ToString()].Value = myEnum.Value.ToString();

My question is that normally this line:
cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());

would have 4 parameters that would include a SqlDbType parameter and a length. Because this is general I left it out. Am I still inviting sql Injection as a possible problem?  

Anyone have some ideas on how to make this more robust?

Question by:jayrod
1 Comment
LVL 10

Accepted Solution

ptmcomp earned 1200 total points
ID: 9592790
- You can't do SQL injection over sql parameters. Your code is safe so far.
- Provide only datareader and if needed datawriter rights to the database user.
- Your data is not typed if you do it that way.
- Test your code and try to do sql injection (e.g. 10'; shutdown; when logged in as "sa" - what you never should be...). More information here: http://www.nextgenss.com/papers/advanced_sql_injection.pdf
- The user could also do HTML/Javascript injection. Are you showing any data in the web browser? Be sure to filter or encode it.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article introduced a TextBox that supports transparent background.   Introduction TextBox is the most widely used control component in GUI design. Most GUI controls do not support transparent background and more or less do not have the…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…
Through the video, you can check the migration process of Outlook PST file to PDF. Kernel for Outlook to PDF tool can convert Outlook emails with all attributes like Subject, To, From, Cc, Bcc and other folders such as Inbox, Outbox, Sent Items, Jun…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question