bchambers233
asked on
Preventing SQL injection with openquery
I've got this code which I with my little knowledge about SQL injection and ASP.Net believe that this is protected against any kind of SQL injection attack.
I've read up loads of articles about SQL injection attacks and not many of them say much about using `openquery`. I have to use a linked server in order to get the data back from the database.
I just would like to know if i've done this correct to be sql injection free or if there is something else I need to do?
Thanks
Dim commandText As String = "DECLARE @investor varchar(10), @sql varchar(1000) "
commandText += "SELECT @investor = '69836', "
commandText += "@sql = 'SELECT * FROM OPENQUERY(db, ''SELECT * FROM table1 "
commandText += "WHERE investor = ' + @investor + ' '')' EXEC(@sql)"
Dim query As SqlCommand = New SqlCommand(commandText, conn)
I've read up loads of articles about SQL injection attacks and not many of them say much about using `openquery`. I have to use a linked server in order to get the data back from the database.
I just would like to know if i've done this correct to be sql injection free or if there is something else I need to do?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Or, better yet, set up a stored procedure in which you recieve the various parameters and then do things like check @investor for the presence of a semi-colon (;) and take various other preventitive measures (e.g. making sure that values are "reasonable"). Once you have scrubbed and established the reasonableness of the parameter values, you can using their values in the stored procedure's query statement to accomplish the same results as your dynamic SQL.
Open in new window