Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to handle SQL Statement when variable is on the column name

Posted on 2008-10-10
2
Medium Priority
?
232 Views
Last Modified: 2010-04-21
Hi all

I have the following SQL statement within my ASP code. I am just auditing the code to stop SQL Injection vulnerabilities so I am taking the likes of this code and
puting it into a stored procedure and creating ADO parameteres where required.


But the variable for this SQL statement is on the table column rather than the value being the parameter..


What would be the best way to handle this within a stored procedure with security against SQL attacks being the main objective including how to pass the variable to the stored procedure too from my ASP.Net page.


Select * from tbl1 Where " & Request("frmSelection") & " = 1 Order By id asc

Many thanks,

Rit
0
Comment
Question by:rito1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 32

Accepted Solution

by:
Daniel Wilson earned 2000 total points
ID: 22687786
Yeah, stuff like that makes so much sense when concatenated, but becomes a real problem when trying to do it right.

The fact of the matter is, there is a finite set of fields for which the query makes sense.  Things outside that set are incorrect, even suspicious in terms of SQL injection.

So .. finite branching in the stored procedure makes sense.

Create procedure dbo.GetTbl1
  @BitField varchar(100)
AS
--Check errors first
if not exists (Select 1 Where @BitField  in ('Field1', 'Field2', 'Field3'))
Raiserror ('Invalid criterion ', 16, 1)
 
 
Select Field1, Field2 /* , etc. */
From tbl1
Where (@BitField <> 'Field1' OR Field1 = 1) AND
  (@BitField <> 'Field2' OR Field2 = 1) AND
  (@BitField <> 'Field3' OR Field3 = 1) 

Open in new window

0
 
LVL 1

Author Closing Comment

by:rito1
ID: 31505050
thank you!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Composite queries are used to retrieve the results from joining multiple queries after applying any filters. UNION, INTERSECT, MINUS, and UNION ALL are some of the operators used to get certain desired results.​
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question