Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 413
  • Last Modified:

Hacking and Sql parameters

Hey all,

I read numerous times and I think it is well known that you should never ever do something like this in your code:

string sql = "SELECT * FROM MyTable WHERE MyColumn = '" + parameter + "'";
SqlCommand cmd = new SqlCommand(sql);

where 'parameter' is for example some value from an input field.

However, I'm looking at some old Database code here for a company and sometimes SQL queries are done this way. The only thing done with the 'paramter' value is checking for single / double quotes, null values, dates, etc, so a user will never get an ugly exception when trying to insert some invalid value with quotes or a date in a wrong format, etc.

My question is, is this still very unsafe? And if so, can someone please explain why? I'm not looking for examples of malicious values, but something more detailed than 'it is unsafe' is appreciated. Are we talking about buffer overflows or something? Is this problem fixed in nowadays versions or is it still a vulnerability? Does it *absolutely* have to be converted and done with the SqlParameter way? If someone can answer this for me, it would be appreciated.

Thanks :)
0
Razzie_
Asked:
Razzie_
  • 4
  • 2
  • 2
  • +3
3 Solutions
 
Thandava VallepalliCommented:
0
 
Thandava VallepalliCommented:
for safe side replace single quotes with 2 single quotes...

==================================
parameter = parameter.Replace("'", "''");
string sql = "SELECT * FROM MyTable WHERE MyColumn = '" + parameter + "'";
SqlCommand cmd = new SqlCommand(sql);
==================================

itsvtk
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Thandava VallepalliCommented:
0
 
NipNFriar_TuckCommented:
Razz,

I am sure those links give you a complete understanding of the issue... Here is the short explanation: A malicious user could but in a string that would case the buffer over run then place a malicious application an your server that would... say send all passwords back to them.  They could then take this information hack into you network and... well you get the point.

HTH.
0
 
b1xml2Commented:
1. URL: http://www.4guysfromrolla.com/webtech/061902-1.shtml is really relevant in ASP and NOT ASP.NET.
2. We should not be using "SELECT * FROM MyTable WHERE MyColumn = '" + parameter + "'"; at all within the .NET Framework.
3.
The Code>>>
parameter = parameter.Replace("'", "''");
string sql = "SELECT * FROM MyTable WHERE MyColumn = '" + parameter + "'";
<<< Does NOT protect you from SQL Injection Attacks

Example Of Using SqlParameters
=====================

string sql = "SELECT * FROM MyTable WHERE MyColumn = @Par";
SqlCommand cmd = new SqlCommand(sql);
cmd.Parameters.Add("@Par",SqlDbType.VarChar).Value = "somthing";
0
 
b1xml2Commented:
The Use Of Parameters will protect against SQL Injections and removes the need for replacing single quotes with double quotes.
0
 
Razzie_Author Commented:
Thanks all so far.

One more thing - b1xml2... you say '<<< Does NOT protect you from SQL Injection Attacks'. But I can't read that anywhere nor find an explanation. On the contrary, so far everything I've read says that replacing single with double quotes is good protection. So can you clarify?

(replacing single quotes with double quotes already happened in the code I reviewed)
0
 
ptmcompCommented:
I strongly agree with b1xml2
0
 
Razzie_Author Commented:
Sorry for the slow reaction from my side, been too busy :)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now