Solved

Preventing SQL injection with openquery

Posted on 2010-11-15
3
796 Views
Last Modified: 2012-05-10
I've got this code which I with my little knowledge about SQL injection and ASP.Net believe that this is protected against any kind of SQL injection attack.

Dim commandText As String = "DECLARE @investor varchar(10), @sql varchar(1000) "
     commandText += "SELECT @investor = '69836', "
     commandText += "@sql = 'SELECT * FROM OPENQUERY(db, ''SELECT * FROM table1 "
     commandText += "WHERE investor = ' + @investor + ' '')' EXEC(@sql)"

     Dim query As SqlCommand = New SqlCommand(commandText, conn)

Open in new window

   
I've read up loads of articles about SQL injection attacks and not many of them say much about using `openquery`. I have to use a linked server in order to get the data back from the database.

I just would like to know if i've done this correct to be sql injection free or if there is something else I need to do?

Thanks
0
Comment
Question by:bchambers233
  • 2
3 Comments
 
LVL 22

Expert Comment

by:8080_Diver
ID: 34138805
Suppose I pass the attached SQL to your process as the @investor parameter.  What happens then?
investor; EXEC(@sql); TRUNCATE TABLE table1;

Open in new window

0
 
LVL 3

Accepted Solution

by:
Epitel0920 earned 500 total points
ID: 34138816
No thats not very safe if it gets @investor from the user's input/text box. User could set the value to be something like "3869); Drop table main;"

You should use something like:
cmd.CommandText = "SELECT * FROM Investors WHERE InvestorID = @InvestorID"                cmd.Parameters.AddWithValue("@InvestorID", "3456");
0
 
LVL 22

Expert Comment

by:8080_Diver
ID: 34138902
Or, better yet, set up a stored procedure in which you recieve the various parameters and then do things like check @investor for the presence of a semi-colon (;) and take various other preventitive measures (e.g. making sure that values are "reasonable").  Once you have scrubbed and established the reasonableness of the parameter values, you can using their values in the stored procedure's query statement to accomplish the same results as your dynamic SQL.

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

When you hear the word proxy, you may become apprehensive. This article will help you to understand Proxy and when it is useful. Let's talk Proxy for SQL Server. (Not in terms of Internet access.) Typically, you'll run into this type of problem w…
Everyone has problem when going to load data into Data warehouse (EDW). They all need to confirm that data quality is good but they don't no how to proceed. Microsoft has provided new task within SSIS 2008 called "Data Profiler Task". It solve th…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now