Solved

SQL, Between dates and SQL Injection

Posted on 2007-12-04
10
535 Views
Last Modified: 2012-05-05
Good afternoon,

I'm attempting to build a Select statement from my database to fill a Gridview.  I want it to pull the results from within the past 14 days.  I've got this working by doing the following:

I have a label, with visability set to false on the page.  On page load, I have it populate the labels.text with the date of today MM/DD/YYYY.  I then use the following in my where clause:
AND (Labor.LaborDate BETWEEN DATEADD(d, - 14, @Today) AND @Today)

@Today is obviously a control parameter that ties back to my label that stores the date.

Okay, now to my question - while researching how to effectively use between, I saw a lot of warnings about using dynamic SQL statements, because of SQL Injection attacks.  My understanding is this would be the case if I was taking this value from a text box, rather than an un-editable label that is also never visable.  Is this correct? Or would my current setup leave me open to SQL injection attacks?

Thanks in advance for your advice,

Dave
0
Comment
Question by:arhame
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 18

Accepted Solution

by:
Yveau earned 250 total points
ID: 20407336
SQL injection is only a risk if you would take a field (textbox) from the client app and pass that on to the SQL Server in a dynamic SQL statement. So if the client app does something similar to:

    $SQL = "Select * from Mytable where MyField = " + $textbox1.text

If you work with stored procedure calls (as you should always do !) this should be safe:

    $SQL = "execute MyProc @MyParm = " + $textbox1.text

In that case the variable that can be influenced by the end user is interpreted as a parameter and not as part of a SQL Statement ... and that puts you in the safe zone !

Hope this helps ...
0
 
LVL 8

Author Comment

by:arhame
ID: 20407380
Okay, that makes sense.  So even though I'm not using a stored procedure, since it's pulling the value from a place that is not editable or changable by any user, then it's safe.

Okay, thanks for the clarification :)  All those articles got me worried, and I just wanted to verify I wasn't potentially making a huge mistake.
0
 
LVL 25

Assisted Solution

by:imitchie
imitchie earned 250 total points
ID: 20407383
CAUTION!! It's not that easy

    $SQL = "execute MyProc @MyParm = " + $textbox1.text

If my textbox.text is " ''; sp_adduser 'give', 'access'; "

You will be in trouble
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 8

Author Comment

by:arhame
ID: 20407400
Ahhh, yeah I can see how that could be a problem.  Thanks for the clarification for future implementations.  But as this situation I'm using a hidden label, I'm okay?
0
 
LVL 25

Expert Comment

by:imitchie
ID: 20407410
Yup. But that's an example of SQL Injection, if you needed one.  Using Stored Procedures doesn't help, you actually need to do it properly.
0
 
LVL 18

Expert Comment

by:Yveau
ID: 20407419
Yep, you're right imitchie, oversaw that caveat for a second :-\

As long as the label cannot be modified by the end user you should be in the clear ...
Still not a nice implementation but ... for now it will do I guess ...

Hope this helps ...
0
 
LVL 8

Author Comment

by:arhame
ID: 20407429
Okay, thanks.

Split the points in half, since he answered my original question about labels being safe, and gave imitchie points for going in further depth on what a sql injection is.
0
 
LVL 18

Expert Comment

by:Yveau
ID: 20407443
Glad I could be of any help.
0
 
LVL 18

Expert Comment

by:Yveau
ID: 20407470
0
 
LVL 18

Expert Comment

by:Yveau
ID: 20407481
...and probably the best one (in BOL !)
ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/scsql9/html/c04f1f33-d607-461b-9c75-799c55087a63.htm
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question