Solved

SQL Injection with queries built client side

Posted on 2011-09-13
5
194 Views
Last Modified: 2012-05-12
I need to know how possile it is  for an SQL injection event to occur when the queries to the database are done on the client side in this manner:

    private string getSQL_AHCCCS()
    {
        string sql = "";
        sql += "    SELECT ";
        sql += "          NULL AS ENRL_BEG_DAT_INT,  ";
        sql += "          NULL AS ENRL_END_DAT_INT,  ";
        sql += "          AcuteMedicalRateCode_CHR AS ACUTE_RATE_CD_CHR,  ";
        sql += "          HealthPlanID_CHR AS ACUTE_HP_ID_CHR,  ";
        sql += "          Name_VAR AS RP_NAME_VAR,  ";
        sql += "          DOB_CHR AS RP_DAT_OF_BIR_INT,  ";
        sql += "          AHCCCSID_CHR AS AHCCCS_ID_CHR,  ";
        sql += "          Gender_CHR AS RP_SEX_CHR  ";
        sql += "    FROM  ";
        sql += "          ADHS.dbo.T_AtRiskPopulation  ";
        sql += "    WHERE  ";
        sql += "          AHCCCSID_CHR = @AHCCCSID ";
        sql += "     ";
        sql += "    ";
        return sql;
    }

Thanks.
0
Comment
Question by:TimSweet220
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:ivan_vagunin
ID: 36530255
Hi! First I guess the query is done on server side, not client side. The code posted is safe against sql injection attack - there is no chance to embedded client query in it.
0
 
LVL 15

Expert Comment

by:tim_cs
ID: 36530602
How will the value of @AHCCCSID be populated?  
0
 

Author Comment

by:TimSweet220
ID: 36530635
From variable on the form.
0
 
LVL 18

Accepted Solution

by:
ivan_vagunin earned 500 total points
ID: 36530661
Look following documentation - using parameters is safe against sql injection:
http://msdn.microsoft.com/en-us/library/ff648339.aspx#paght000002_step3
0
 

Author Closing Comment

by:TimSweet220
ID: 36530682
Excellent.
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question