Solved

Preventing SQL injection with openquery

Posted on 2010-11-15
3
807 Views
Last Modified: 2012-05-10
I've got this code which I with my little knowledge about SQL injection and ASP.Net believe that this is protected against any kind of SQL injection attack.

Dim commandText As String = "DECLARE @investor varchar(10), @sql varchar(1000) "
     commandText += "SELECT @investor = '69836', "
     commandText += "@sql = 'SELECT * FROM OPENQUERY(db, ''SELECT * FROM table1 "
     commandText += "WHERE investor = ' + @investor + ' '')' EXEC(@sql)"

     Dim query As SqlCommand = New SqlCommand(commandText, conn)

Open in new window

   
I've read up loads of articles about SQL injection attacks and not many of them say much about using `openquery`. I have to use a linked server in order to get the data back from the database.

I just would like to know if i've done this correct to be sql injection free or if there is something else I need to do?

Thanks
0
Comment
Question by:bchambers233
  • 2
3 Comments
 
LVL 22

Expert Comment

by:8080_Diver
ID: 34138805
Suppose I pass the attached SQL to your process as the @investor parameter.  What happens then?
investor; EXEC(@sql); TRUNCATE TABLE table1;

Open in new window

0
 
LVL 3

Accepted Solution

by:
Epitel0920 earned 500 total points
ID: 34138816
No thats not very safe if it gets @investor from the user's input/text box. User could set the value to be something like "3869); Drop table main;"

You should use something like:
cmd.CommandText = "SELECT * FROM Investors WHERE InvestorID = @InvestorID"                cmd.Parameters.AddWithValue("@InvestorID", "3456");
0
 
LVL 22

Expert Comment

by:8080_Diver
ID: 34138902
Or, better yet, set up a stored procedure in which you recieve the various parameters and then do things like check @investor for the presence of a semi-colon (;) and take various other preventitive measures (e.g. making sure that values are "reasonable").  Once you have scrubbed and established the reasonableness of the parameter values, you can using their values in the stored procedure's query statement to accomplish the same results as your dynamic SQL.

0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
I have a large data set and a SSIS package. How can I load this file in multi threading?
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now