Hacking and Sql parameters
Posted on 2005-03-18
I read numerous times and I think it is well known that you should never ever do something like this in your code:
string sql = "SELECT * FROM MyTable WHERE MyColumn = '" + parameter + "'";
SqlCommand cmd = new SqlCommand(sql);
where 'parameter' is for example some value from an input field.
However, I'm looking at some old Database code here for a company and sometimes SQL queries are done this way. The only thing done with the 'paramter' value is checking for single / double quotes, null values, dates, etc, so a user will never get an ugly exception when trying to insert some invalid value with quotes or a date in a wrong format, etc.
My question is, is this still very unsafe? And if so, can someone please explain why? I'm not looking for examples of malicious values, but something more detailed than 'it is unsafe' is appreciated. Are we talking about buffer overflows or something? Is this problem fixed in nowadays versions or is it still a vulnerability? Does it *absolutely* have to be converted and done with the SqlParameter way? If someone can answer this for me, it would be appreciated.