You must Sign In to post a response.
  • Category: ASP.NET

    SQL injection--Improper Neutralization of Special Elements used in an SQL Command

    Hi Team,

    Let me know in the below code how can convert dynamic SQL query into parameterized query.So that we can fix this flaw.



    if (dbTrans == null) dbConn.Open();
    switch (provider)
    {
    case DbProvider.ODBC:
    DbCommand odbcCmd = new OdbcCommand();
    odbcCmd.Connection = dbConn;
    odbcCmd.CommandText = sqlStatement;
    odbcCmd.CommandType = sqlType;
    odbcCmd.Transaction = dbTrans;
    odbcCmd.CommandTimeout = queryTimeOut;
    PopulateCmdParameters(odbcCmd.Parameters);
    odbcCmd.ExecuteNonQuery();
    break;
    case DbProvider.OLE:
    DbCommand oleCmd = new OleDbCommand();
    oleCmd.Connection = dbConn;
    oleCmd.CommandText = sqlStatement;
    oleCmd.CommandType = sqlType;
    oleCmd.Transaction = dbTrans;
    oleCmd.CommandTimeout = queryTimeOut;
    PopulateCmdParameters(oleCmd.Parameters);
    oleCmd.ExecuteNonQuery();
    break;
    case DbProvider.SQL:
    DbCommand sqlCmd = new SqlCommand();
    sqlCmd.Connection = dbConn;
    sqlCmd.CommandText = sqlStatement;
    sqlCmd.CommandType = sqlType;
    sqlCmd.Transaction = dbTrans;
    sqlCmd.CommandTimeout = queryTimeOut;
    PopulateCmdParameters(sqlCmd.Parameters);
    sqlCmd.ExecuteNonQuery();
    break;
    }
  • #767470
    HI,
    SQL injection is possible when dynamic SQL which is handled carelessly so you need to Call stored procedure through RPC and use .CreateParameter to specify the parameters.
    Please go through 'SQL Injection – a Serious Security Issue' point over here:
    http://www.sommarskog.se/dynamic_sql.html

  • #767481
    Hi,

    Microsoft always suggested to call the database using StoredProcedures only, rather than calling it through code my suggestion is prepare one procedure and call that procedure in your application that will help you to clear these type of issues.

    --------------------------------------------------------------------------------
    Give respect to your work, Instead of trying to impress your boss.

    N@veen
    Blog : http://naveens-dotnet.blogspot.in/


  • Sign In to post your comments