Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

How to handle SQL Statement when variable is on the column name

Hi all

I have the following SQL statement within my ASP code. I am just auditing the code to stop SQL Injection vulnerabilities so I am taking the likes of this code and
puting it into a stored procedure and creating ADO parameteres where required.


But the variable for this SQL statement is on the table column rather than the value being the parameter..


What would be the best way to handle this within a stored procedure with security against SQL attacks being the main objective including how to pass the variable to the stored procedure too from my ASP.Net page.


Select * from tbl1 Where " & Request("frmSelection") & " = 1 Order By id asc

Many thanks,

Rit
0
rito1
Asked:
rito1
1 Solution
 
Daniel WilsonCommented:
Yeah, stuff like that makes so much sense when concatenated, but becomes a real problem when trying to do it right.

The fact of the matter is, there is a finite set of fields for which the query makes sense.  Things outside that set are incorrect, even suspicious in terms of SQL injection.

So .. finite branching in the stored procedure makes sense.

Create procedure dbo.GetTbl1
  @BitField varchar(100)
AS
--Check errors first
if not exists (Select 1 Where @BitField  in ('Field1', 'Field2', 'Field3'))
Raiserror ('Invalid criterion ', 16, 1)
 
 
Select Field1, Field2 /* , etc. */
From tbl1
Where (@BitField <> 'Field1' OR Field1 = 1) AND
  (@BitField <> 'Field2' OR Field2 = 1) AND
  (@BitField <> 'Field3' OR Field3 = 1) 

Open in new window

0
 
rito1Author Commented:
thank you!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now