Solved

Preventing SQL injection with openquery

Posted on 2010-11-15
3
831 Views
Last Modified: 2012-05-10
I've got this code which I with my little knowledge about SQL injection and ASP.Net believe that this is protected against any kind of SQL injection attack.

Dim commandText As String = "DECLARE @investor varchar(10), @sql varchar(1000) "
     commandText += "SELECT @investor = '69836', "
     commandText += "@sql = 'SELECT * FROM OPENQUERY(db, ''SELECT * FROM table1 "
     commandText += "WHERE investor = ' + @investor + ' '')' EXEC(@sql)"

     Dim query As SqlCommand = New SqlCommand(commandText, conn)

Open in new window

   
I've read up loads of articles about SQL injection attacks and not many of them say much about using `openquery`. I have to use a linked server in order to get the data back from the database.

I just would like to know if i've done this correct to be sql injection free or if there is something else I need to do?

Thanks
0
Comment
Question by:bchambers233
  • 2
3 Comments
 
LVL 22

Expert Comment

by:8080_Diver
ID: 34138805
Suppose I pass the attached SQL to your process as the @investor parameter.  What happens then?
investor; EXEC(@sql); TRUNCATE TABLE table1;

Open in new window

0
 
LVL 3

Accepted Solution

by:
Epitel0920 earned 500 total points
ID: 34138816
No thats not very safe if it gets @investor from the user's input/text box. User could set the value to be something like "3869); Drop table main;"

You should use something like:
cmd.CommandText = "SELECT * FROM Investors WHERE InvestorID = @InvestorID"                cmd.Parameters.AddWithValue("@InvestorID", "3456");
0
 
LVL 22

Expert Comment

by:8080_Diver
ID: 34138902
Or, better yet, set up a stored procedure in which you recieve the various parameters and then do things like check @investor for the presence of a semi-colon (;) and take various other preventitive measures (e.g. making sure that values are "reasonable").  Once you have scrubbed and established the reasonableness of the parameter values, you can using their values in the stored procedure's query statement to accomplish the same results as your dynamic SQL.

0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question