Solved

How to handle SQL Statement when variable is on the column name

Posted on 2008-10-10
2
224 Views
Last Modified: 2010-04-21
Hi all

I have the following SQL statement within my ASP code. I am just auditing the code to stop SQL Injection vulnerabilities so I am taking the likes of this code and
puting it into a stored procedure and creating ADO parameteres where required.


But the variable for this SQL statement is on the table column rather than the value being the parameter..


What would be the best way to handle this within a stored procedure with security against SQL attacks being the main objective including how to pass the variable to the stored procedure too from my ASP.Net page.


Select * from tbl1 Where " & Request("frmSelection") & " = 1 Order By id asc

Many thanks,

Rit
0
Comment
Question by:rito1
2 Comments
 
LVL 32

Accepted Solution

by:
Daniel Wilson earned 500 total points
ID: 22687786
Yeah, stuff like that makes so much sense when concatenated, but becomes a real problem when trying to do it right.

The fact of the matter is, there is a finite set of fields for which the query makes sense.  Things outside that set are incorrect, even suspicious in terms of SQL injection.

So .. finite branching in the stored procedure makes sense.

Create procedure dbo.GetTbl1
  @BitField varchar(100)
AS
--Check errors first
if not exists (Select 1 Where @BitField  in ('Field1', 'Field2', 'Field3'))
Raiserror ('Invalid criterion ', 16, 1)
 
 
Select Field1, Field2 /* , etc. */
From tbl1
Where (@BitField <> 'Field1' OR Field1 = 1) AND
  (@BitField <> 'Field2' OR Field2 = 1) AND
  (@BitField <> 'Field3' OR Field3 = 1) 

Open in new window

0
 
LVL 1

Author Closing Comment

by:rito1
ID: 31505050
thank you!
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
New and Previous Values in a Query 7 30
Syntax Issue with SSIS module 26 103
Finding the IIS version 5 21
Procedure syntax 5 38
Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
Composite queries are used to retrieve the results from joining multiple queries after applying any filters. UNION, INTERSECT, MINUS, and UNION ALL are some of the operators used to get certain desired results.​
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question