Solved

How to handle SQL Statement when variable is on the column name

Posted on 2008-10-10
2
223 Views
Last Modified: 2010-04-21
Hi all

I have the following SQL statement within my ASP code. I am just auditing the code to stop SQL Injection vulnerabilities so I am taking the likes of this code and
puting it into a stored procedure and creating ADO parameteres where required.


But the variable for this SQL statement is on the table column rather than the value being the parameter..


What would be the best way to handle this within a stored procedure with security against SQL attacks being the main objective including how to pass the variable to the stored procedure too from my ASP.Net page.


Select * from tbl1 Where " & Request("frmSelection") & " = 1 Order By id asc

Many thanks,

Rit
0
Comment
Question by:rito1
2 Comments
 
LVL 32

Accepted Solution

by:
Daniel Wilson earned 500 total points
ID: 22687786
Yeah, stuff like that makes so much sense when concatenated, but becomes a real problem when trying to do it right.

The fact of the matter is, there is a finite set of fields for which the query makes sense.  Things outside that set are incorrect, even suspicious in terms of SQL injection.

So .. finite branching in the stored procedure makes sense.

Create procedure dbo.GetTbl1
  @BitField varchar(100)
AS
--Check errors first
if not exists (Select 1 Where @BitField  in ('Field1', 'Field2', 'Field3'))
Raiserror ('Invalid criterion ', 16, 1)
 
 
Select Field1, Field2 /* , etc. */
From tbl1
Where (@BitField <> 'Field1' OR Field1 = 1) AND
  (@BitField <> 'Field2' OR Field2 = 1) AND
  (@BitField <> 'Field3' OR Field3 = 1) 

Open in new window

0
 
LVL 1

Author Closing Comment

by:rito1
ID: 31505050
thank you!
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
Composite queries are used to retrieve the results from joining multiple queries after applying any filters. UNION, INTERSECT, MINUS, and UNION ALL are some of the operators used to get certain desired results.​
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question