?
Solved

SQL Injection with queries built client side

Posted on 2011-09-13
5
Medium Priority
?
201 Views
Last Modified: 2012-05-12
I need to know how possile it is  for an SQL injection event to occur when the queries to the database are done on the client side in this manner:

    private string getSQL_AHCCCS()
    {
        string sql = "";
        sql += "    SELECT ";
        sql += "          NULL AS ENRL_BEG_DAT_INT,  ";
        sql += "          NULL AS ENRL_END_DAT_INT,  ";
        sql += "          AcuteMedicalRateCode_CHR AS ACUTE_RATE_CD_CHR,  ";
        sql += "          HealthPlanID_CHR AS ACUTE_HP_ID_CHR,  ";
        sql += "          Name_VAR AS RP_NAME_VAR,  ";
        sql += "          DOB_CHR AS RP_DAT_OF_BIR_INT,  ";
        sql += "          AHCCCSID_CHR AS AHCCCS_ID_CHR,  ";
        sql += "          Gender_CHR AS RP_SEX_CHR  ";
        sql += "    FROM  ";
        sql += "          ADHS.dbo.T_AtRiskPopulation  ";
        sql += "    WHERE  ";
        sql += "          AHCCCSID_CHR = @AHCCCSID ";
        sql += "     ";
        sql += "    ";
        return sql;
    }

Thanks.
0
Comment
Question by:TimSweet220
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:ivan_vagunin
ID: 36530255
Hi! First I guess the query is done on server side, not client side. The code posted is safe against sql injection attack - there is no chance to embedded client query in it.
0
 
LVL 15

Expert Comment

by:tim_cs
ID: 36530602
How will the value of @AHCCCSID be populated?  
0
 

Author Comment

by:TimSweet220
ID: 36530635
From variable on the form.
0
 
LVL 18

Accepted Solution

by:
ivan_vagunin earned 2000 total points
ID: 36530661
Look following documentation - using parameters is safe against sql injection:
http://msdn.microsoft.com/en-us/library/ff648339.aspx#paght000002_step3
0
 

Author Closing Comment

by:TimSweet220
ID: 36530682
Excellent.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
Loops Section Overview
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question