Link to home
Start Free TrialLog in
Avatar of bchambers233
bchambers233Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Preventing SQL injection with openquery

I've got this code which I with my little knowledge about SQL injection and ASP.Net believe that this is protected against any kind of SQL injection attack.

Dim commandText As String = "DECLARE @investor varchar(10), @sql varchar(1000) "
     commandText += "SELECT @investor = '69836', "
     commandText += "@sql = 'SELECT * FROM OPENQUERY(db, ''SELECT * FROM table1 "
     commandText += "WHERE investor = ' + @investor + ' '')' EXEC(@sql)"

     Dim query As SqlCommand = New SqlCommand(commandText, conn)

Open in new window

   
I've read up loads of articles about SQL injection attacks and not many of them say much about using `openquery`. I have to use a linked server in order to get the data back from the database.

I just would like to know if i've done this correct to be sql injection free or if there is something else I need to do?

Thanks
Avatar of 8080_Diver
8080_Diver
Flag of United States of America image

Suppose I pass the attached SQL to your process as the @investor parameter.  What happens then?
investor; EXEC(@sql); TRUNCATE TABLE table1;

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Epitel0920
Epitel0920

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Or, better yet, set up a stored procedure in which you recieve the various parameters and then do things like check @investor for the presence of a semi-colon (;) and take various other preventitive measures (e.g. making sure that values are "reasonable").  Once you have scrubbed and established the reasonableness of the parameter values, you can using their values in the stored procedure's query statement to accomplish the same results as your dynamic SQL.