Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

SqlParameter help

Posted on 2003-10-21
1
244 Views
Last Modified: 2010-04-16
I've got a database object that I use for my connection layer and in this layer I'm attempting to involve the use of sql parameters. My problem is that I'm making it very general so that it can be easily reused.  Here is my code.

            public void Insert(Hashtable ht)
            {
                  SqlDataAdapter sd = new SqlDataAdapter();
                  sd.InsertCommand = this.myConnection.CreateCommand();
                  sd.InsertCommand.CommandText = this.sql;
                  this._addParams(sd.InsertCommand, ht);
                  sd.InsertCommand.ExecuteNonQuery();
                  
            }

            private void _addParams( SqlCommand cmd, Hashtable ht)
            {
                  IDictionaryEnumerator myEnum = ht.GetEnumerator();
                  while(myEnum.MoveNext())
                  {
                        cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());
                        cmd.Parameters["@" + myEnum.Key.ToString()].Value = myEnum.Value.ToString();
                  }
            }

My question is that normally this line:
cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());

would have 4 parameters that would include a SqlDbType parameter and a length. Because this is general I left it out. Am I still inviting sql Injection as a possible problem?  

Anyone have some ideas on how to make this more robust?

Thanks
0
Comment
Question by:jayrod
1 Comment
 
LVL 10

Accepted Solution

by:
ptmcomp earned 300 total points
ID: 9592790
- You can't do SQL injection over sql parameters. Your code is safe so far.
- Provide only datareader and if needed datawriter rights to the database user.
- Your data is not typed if you do it that way.
- Test your code and try to do sql injection (e.g. 10'; shutdown; when logged in as "sa" - what you never should be...). More information here: http://www.nextgenss.com/papers/advanced_sql_injection.pdf
- The user could also do HTML/Javascript injection. Are you showing any data in the web browser? Be sure to filter or encode it.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question