Solved

Preventing SQL injection with openquery

Posted on 2010-11-15
3
865 Views
Last Modified: 2012-05-10
I've got this code which I with my little knowledge about SQL injection and ASP.Net believe that this is protected against any kind of SQL injection attack.

Dim commandText As String = "DECLARE @investor varchar(10), @sql varchar(1000) "
     commandText += "SELECT @investor = '69836', "
     commandText += "@sql = 'SELECT * FROM OPENQUERY(db, ''SELECT * FROM table1 "
     commandText += "WHERE investor = ' + @investor + ' '')' EXEC(@sql)"

     Dim query As SqlCommand = New SqlCommand(commandText, conn)

Open in new window

   
I've read up loads of articles about SQL injection attacks and not many of them say much about using `openquery`. I have to use a linked server in order to get the data back from the database.

I just would like to know if i've done this correct to be sql injection free or if there is something else I need to do?

Thanks
0
Comment
Question by:bchambers233
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 22

Expert Comment

by:8080_Diver
ID: 34138805
Suppose I pass the attached SQL to your process as the @investor parameter.  What happens then?
investor; EXEC(@sql); TRUNCATE TABLE table1;

Open in new window

0
 
LVL 3

Accepted Solution

by:
Epitel0920 earned 500 total points
ID: 34138816
No thats not very safe if it gets @investor from the user's input/text box. User could set the value to be something like "3869); Drop table main;"

You should use something like:
cmd.CommandText = "SELECT * FROM Investors WHERE InvestorID = @InvestorID"                cmd.Parameters.AddWithValue("@InvestorID", "3456");
0
 
LVL 22

Expert Comment

by:8080_Diver
ID: 34138902
Or, better yet, set up a stored procedure in which you recieve the various parameters and then do things like check @investor for the presence of a semi-colon (;) and take various other preventitive measures (e.g. making sure that values are "reasonable").  Once you have scrubbed and established the reasonableness of the parameter values, you can using their values in the stored procedure's query statement to accomplish the same results as your dynamic SQL.

0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question