Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 555
  • Last Modified:

SQL, Between dates and SQL Injection

Good afternoon,

I'm attempting to build a Select statement from my database to fill a Gridview.  I want it to pull the results from within the past 14 days.  I've got this working by doing the following:

I have a label, with visability set to false on the page.  On page load, I have it populate the labels.text with the date of today MM/DD/YYYY.  I then use the following in my where clause:
AND (Labor.LaborDate BETWEEN DATEADD(d, - 14, @Today) AND @Today)

@Today is obviously a control parameter that ties back to my label that stores the date.

Okay, now to my question - while researching how to effectively use between, I saw a lot of warnings about using dynamic SQL statements, because of SQL Injection attacks.  My understanding is this would be the case if I was taking this value from a text box, rather than an un-editable label that is also never visable.  Is this correct? Or would my current setup leave me open to SQL injection attacks?

Thanks in advance for your advice,

Dave
0
arhame
Asked:
arhame
  • 5
  • 3
  • 2
2 Solutions
 
YveauCommented:
SQL injection is only a risk if you would take a field (textbox) from the client app and pass that on to the SQL Server in a dynamic SQL statement. So if the client app does something similar to:

    $SQL = "Select * from Mytable where MyField = " + $textbox1.text

If you work with stored procedure calls (as you should always do !) this should be safe:

    $SQL = "execute MyProc @MyParm = " + $textbox1.text

In that case the variable that can be influenced by the end user is interpreted as a parameter and not as part of a SQL Statement ... and that puts you in the safe zone !

Hope this helps ...
0
 
arhameAuthor Commented:
Okay, that makes sense.  So even though I'm not using a stored procedure, since it's pulling the value from a place that is not editable or changable by any user, then it's safe.

Okay, thanks for the clarification :)  All those articles got me worried, and I just wanted to verify I wasn't potentially making a huge mistake.
0
 
imitchieCommented:
CAUTION!! It's not that easy

    $SQL = "execute MyProc @MyParm = " + $textbox1.text

If my textbox.text is " ''; sp_adduser 'give', 'access'; "

You will be in trouble
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
arhameAuthor Commented:
Ahhh, yeah I can see how that could be a problem.  Thanks for the clarification for future implementations.  But as this situation I'm using a hidden label, I'm okay?
0
 
imitchieCommented:
Yup. But that's an example of SQL Injection, if you needed one.  Using Stored Procedures doesn't help, you actually need to do it properly.
0
 
YveauCommented:
Yep, you're right imitchie, oversaw that caveat for a second :-\

As long as the label cannot be modified by the end user you should be in the clear ...
Still not a nice implementation but ... for now it will do I guess ...

Hope this helps ...
0
 
arhameAuthor Commented:
Okay, thanks.

Split the points in half, since he answered my original question about labels being safe, and gave imitchie points for going in further depth on what a sql injection is.
0
 
YveauCommented:
Glad I could be of any help.
0
 
YveauCommented:
...and probably the best one (in BOL !)
ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/scsql9/html/c04f1f33-d607-461b-9c75-799c55087a63.htm
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now