Solved

SQL, Between dates and SQL Injection

Posted on 2007-12-04
10
526 Views
Last Modified: 2012-05-05
Good afternoon,

I'm attempting to build a Select statement from my database to fill a Gridview.  I want it to pull the results from within the past 14 days.  I've got this working by doing the following:

I have a label, with visability set to false on the page.  On page load, I have it populate the labels.text with the date of today MM/DD/YYYY.  I then use the following in my where clause:
AND (Labor.LaborDate BETWEEN DATEADD(d, - 14, @Today) AND @Today)

@Today is obviously a control parameter that ties back to my label that stores the date.

Okay, now to my question - while researching how to effectively use between, I saw a lot of warnings about using dynamic SQL statements, because of SQL Injection attacks.  My understanding is this would be the case if I was taking this value from a text box, rather than an un-editable label that is also never visable.  Is this correct? Or would my current setup leave me open to SQL injection attacks?

Thanks in advance for your advice,

Dave
0
Comment
Question by:arhame
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 18

Accepted Solution

by:
Yveau earned 250 total points
ID: 20407336
SQL injection is only a risk if you would take a field (textbox) from the client app and pass that on to the SQL Server in a dynamic SQL statement. So if the client app does something similar to:

    $SQL = "Select * from Mytable where MyField = " + $textbox1.text

If you work with stored procedure calls (as you should always do !) this should be safe:

    $SQL = "execute MyProc @MyParm = " + $textbox1.text

In that case the variable that can be influenced by the end user is interpreted as a parameter and not as part of a SQL Statement ... and that puts you in the safe zone !

Hope this helps ...
0
 
LVL 8

Author Comment

by:arhame
ID: 20407380
Okay, that makes sense.  So even though I'm not using a stored procedure, since it's pulling the value from a place that is not editable or changable by any user, then it's safe.

Okay, thanks for the clarification :)  All those articles got me worried, and I just wanted to verify I wasn't potentially making a huge mistake.
0
 
LVL 25

Assisted Solution

by:imitchie
imitchie earned 250 total points
ID: 20407383
CAUTION!! It's not that easy

    $SQL = "execute MyProc @MyParm = " + $textbox1.text

If my textbox.text is " ''; sp_adduser 'give', 'access'; "

You will be in trouble
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Author Comment

by:arhame
ID: 20407400
Ahhh, yeah I can see how that could be a problem.  Thanks for the clarification for future implementations.  But as this situation I'm using a hidden label, I'm okay?
0
 
LVL 25

Expert Comment

by:imitchie
ID: 20407410
Yup. But that's an example of SQL Injection, if you needed one.  Using Stored Procedures doesn't help, you actually need to do it properly.
0
 
LVL 18

Expert Comment

by:Yveau
ID: 20407419
Yep, you're right imitchie, oversaw that caveat for a second :-\

As long as the label cannot be modified by the end user you should be in the clear ...
Still not a nice implementation but ... for now it will do I guess ...

Hope this helps ...
0
 
LVL 8

Author Comment

by:arhame
ID: 20407429
Okay, thanks.

Split the points in half, since he answered my original question about labels being safe, and gave imitchie points for going in further depth on what a sql injection is.
0
 
LVL 18

Expert Comment

by:Yveau
ID: 20407443
Glad I could be of any help.
0
 
LVL 18

Expert Comment

by:Yveau
ID: 20407470
0
 
LVL 18

Expert Comment

by:Yveau
ID: 20407481
...and probably the best one (in BOL !)
ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/scsql9/html/c04f1f33-d607-461b-9c75-799c55087a63.htm
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.
Viewers will learn how the fundamental information of how to create a table.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question