Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SQL Injection with queries built client side

Posted on 2011-09-13
5
Medium Priority
?
199 Views
Last Modified: 2012-05-12
I need to know how possile it is  for an SQL injection event to occur when the queries to the database are done on the client side in this manner:

    private string getSQL_AHCCCS()
    {
        string sql = "";
        sql += "    SELECT ";
        sql += "          NULL AS ENRL_BEG_DAT_INT,  ";
        sql += "          NULL AS ENRL_END_DAT_INT,  ";
        sql += "          AcuteMedicalRateCode_CHR AS ACUTE_RATE_CD_CHR,  ";
        sql += "          HealthPlanID_CHR AS ACUTE_HP_ID_CHR,  ";
        sql += "          Name_VAR AS RP_NAME_VAR,  ";
        sql += "          DOB_CHR AS RP_DAT_OF_BIR_INT,  ";
        sql += "          AHCCCSID_CHR AS AHCCCS_ID_CHR,  ";
        sql += "          Gender_CHR AS RP_SEX_CHR  ";
        sql += "    FROM  ";
        sql += "          ADHS.dbo.T_AtRiskPopulation  ";
        sql += "    WHERE  ";
        sql += "          AHCCCSID_CHR = @AHCCCSID ";
        sql += "     ";
        sql += "    ";
        return sql;
    }

Thanks.
0
Comment
Question by:TimSweet220
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:ivan_vagunin
ID: 36530255
Hi! First I guess the query is done on server side, not client side. The code posted is safe against sql injection attack - there is no chance to embedded client query in it.
0
 
LVL 15

Expert Comment

by:tim_cs
ID: 36530602
How will the value of @AHCCCSID be populated?  
0
 

Author Comment

by:TimSweet220
ID: 36530635
From variable on the form.
0
 
LVL 18

Accepted Solution

by:
ivan_vagunin earned 2000 total points
ID: 36530661
Look following documentation - using parameters is safe against sql injection:
http://msdn.microsoft.com/en-us/library/ff648339.aspx#paght000002_step3
0
 

Author Closing Comment

by:TimSweet220
ID: 36530682
Excellent.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question