May 26, 2016 - Hi, There are many SQL injection (SQLi) tools we can find on the net, some of them are SQL Ninja, SQLMap, Pangolin, Havij, Reiluke Tools,. Aug 25, 2012 - Joomla Component idoblog 1.1b30 (com_idoblog) SQL Injection Vuln. To find token go back to reiluke SQLiHelper 2.7 and dump username.
I am using stored procedures.In order to save time, I made some generic procedures that uses dynamic sqlin order to update. Such generic procedure is:
How can I prevent sql injection with this code?
NaorNaor
3 Answers
The important aspect to remember about SQL injection is that means that, if at all possible, you should never embed user-supplied values directly into your SQL. This doesn't mean that you can't use dynamic sql (though it definitely makes things easier if you don't), but it does become more dangerous at times.
In your specific example, you can keep the parameterization of everything except
@field_name
. This, unfortunately, must be embedded directly into the SQL; everything else can be passed as a parameter again, so there's no need to worry about their content.The safest thing that you can do in this specific example is the following:
This does two things:
- It verifies that there is actually a column with that name in the table. If the user were to embed any other SQL statements into the field, then this check would fail and the statement would not be executed. You could also call
raiseerror
to report the error, but I'll leave that exercise up to you. - It encloses the field name in square braces so that field names that contain spaces or reserved words will not break the statement. This may not be an issue for you, but it's always good practice if you're generating the SQL yourself.
Adam RobinsonAdam Robinson
You said:
In order to save time, I made some generic procedures that uses dynamic sql in order to update
If you'd asked first, we could have saved time and suggested this...
gbngbn
I would start looking at ways to prevent sql injection attacks before you ever call the SP. Be careful with dynamic SQL strings pieced together from querystring or form data. Use a SqlCommand object.
Edit: In response to the comment, here is a nice explanation of how parameterized queries (SqlCommand queries) help prevent SQL injection.
From http://forums.asp.net/t/1568268.aspx:
...The placeholder - @Id - has become part of the hardcoded SQL. At runtime, the value provided by the querystring is passed to the database along with the hardcoded SQL, and the database will check the ProductID field as it attempts to bind the parameter value to it. This ensures a level of strong typing. If the parameter value is not the right type for the database field (a string, or numeric that's out of range for the field type), the database will be unable to convert it to the right type and will reject it. If the target field datatype is a string (char, nvarchar etc), the parameter value will be 'stringified' automatically, which includes escaping single quotes. It will not form part of the SQL statement to be executed.
SquidScareMeSquidScareMe