Solved

SQL Injection with queries built client side

Posted on 2011-09-13
5
190 Views
Last Modified: 2012-05-12
I need to know how possile it is  for an SQL injection event to occur when the queries to the database are done on the client side in this manner:

    private string getSQL_AHCCCS()
    {
        string sql = "";
        sql += "    SELECT ";
        sql += "          NULL AS ENRL_BEG_DAT_INT,  ";
        sql += "          NULL AS ENRL_END_DAT_INT,  ";
        sql += "          AcuteMedicalRateCode_CHR AS ACUTE_RATE_CD_CHR,  ";
        sql += "          HealthPlanID_CHR AS ACUTE_HP_ID_CHR,  ";
        sql += "          Name_VAR AS RP_NAME_VAR,  ";
        sql += "          DOB_CHR AS RP_DAT_OF_BIR_INT,  ";
        sql += "          AHCCCSID_CHR AS AHCCCS_ID_CHR,  ";
        sql += "          Gender_CHR AS RP_SEX_CHR  ";
        sql += "    FROM  ";
        sql += "          ADHS.dbo.T_AtRiskPopulation  ";
        sql += "    WHERE  ";
        sql += "          AHCCCSID_CHR = @AHCCCSID ";
        sql += "     ";
        sql += "    ";
        return sql;
    }

Thanks.
0
Comment
Question by:TimSweet220
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:ivan_vagunin
ID: 36530255
Hi! First I guess the query is done on server side, not client side. The code posted is safe against sql injection attack - there is no chance to embedded client query in it.
0
 
LVL 15

Expert Comment

by:tim_cs
ID: 36530602
How will the value of @AHCCCSID be populated?  
0
 

Author Comment

by:TimSweet220
ID: 36530635
From variable on the form.
0
 
LVL 18

Accepted Solution

by:
ivan_vagunin earned 500 total points
ID: 36530661
Look following documentation - using parameters is safe against sql injection:
http://msdn.microsoft.com/en-us/library/ff648339.aspx#paght000002_step3
0
 

Author Closing Comment

by:TimSweet220
ID: 36530682
Excellent.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
convert html to string 6 35
Executing SSIS with a Stored Procedure Permissions 12 62
Example works but why do I need to click twice on button 4 43
Linq asp.net mvc 13 12
Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question