Solved

How to handle SQL Statement when variable is on the column name

Posted on 2008-10-10
2
225 Views
Last Modified: 2010-04-21
Hi all

I have the following SQL statement within my ASP code. I am just auditing the code to stop SQL Injection vulnerabilities so I am taking the likes of this code and
puting it into a stored procedure and creating ADO parameteres where required.


But the variable for this SQL statement is on the table column rather than the value being the parameter..


What would be the best way to handle this within a stored procedure with security against SQL attacks being the main objective including how to pass the variable to the stored procedure too from my ASP.Net page.


Select * from tbl1 Where " & Request("frmSelection") & " = 1 Order By id asc

Many thanks,

Rit
0
Comment
Question by:rito1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 32

Accepted Solution

by:
Daniel Wilson earned 500 total points
ID: 22687786
Yeah, stuff like that makes so much sense when concatenated, but becomes a real problem when trying to do it right.

The fact of the matter is, there is a finite set of fields for which the query makes sense.  Things outside that set are incorrect, even suspicious in terms of SQL injection.

So .. finite branching in the stored procedure makes sense.

Create procedure dbo.GetTbl1
  @BitField varchar(100)
AS
--Check errors first
if not exists (Select 1 Where @BitField  in ('Field1', 'Field2', 'Field3'))
Raiserror ('Invalid criterion ', 16, 1)
 
 
Select Field1, Field2 /* , etc. */
From tbl1
Where (@BitField <> 'Field1' OR Field1 = 1) AND
  (@BitField <> 'Field2' OR Field2 = 1) AND
  (@BitField <> 'Field3' OR Field3 = 1) 

Open in new window

0
 
LVL 1

Author Closing Comment

by:rito1
ID: 31505050
thank you!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Confronted with some SQL you don't know can be a daunting task. It can be even more daunting if that SQL carries some of the old secret codes used in the Ye Olde query syntax, such as: (+)     as used in Oracle;     *=     =*    as used in Sybase …
If you have heard of RFC822 date formats, they can be quite a challenge in SQL Server. RFC822 is an Internet standard format for email message headers, including all dates within those headers. The RFC822 protocols are available in detail at:   ht…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question