MM .NET Tip 'O The Day - Beware SQL Injection!

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

MM .NET Tip 'O The Day - Beware SQL Injection!

Message

From

25/06/2003 11:47:28

Kevin McNeish
Oak Leaf Enterprises, Inc.
Troy, Virginia, United States

All

General information

Forum:

ASP.NET

Category:

The Mere Mortals .NET Framework

Title:

MM .NET Tip 'O The Day - Beware SQL Injection!

Miscellaneous

Thread ID:

00803827

Message ID:

00803827

Views:

One of the great features of MM .NET is it frees you up from working directly with ADO.NET (unless you *really* want to). All "rubber meets the road" code is located in a family of data access classes that plug into the business object dynamically at run time. When you access SQL Server data, the SQL Server data access class is used, when you access FoxPro data, the OLE DB data access class is used, and so on.

There are three main ways you can use these data access classes to retrieve data in MM .NET:

1. Concatenating strings for SQL Pass through
2. Parameterized Queries
3. Stored procedures

Of these three, concatenating strings is the easiest. For example, the following business object method retrieves all orders for a specified customer:

In C#:

public DataSet GetOrdersByCustomerID(string custID)
{
	mmDataSet dsOrders = this.GetDataSet("SELECT * FROM Orders WHERE CustomerID = '" +
		custID + "'");

	return dsOrders;
}

And VB .NET:

Public Function GetOrdersByCustomerID(custID As String) As DataSet
	Dim dsOrders As mmDataSet = Me.GetDataSet( _
		"SELECT * FROM Orders WHERE CustomerID = '" & custID & "'")
   
	Return dsOrders
End Function

Notice in these methods you don't have to deal with ADO.NET data-specific classes or connection strings. Behind the scenes, the MM .NET data access classes are pulling together all the ADO.NET classes needed to retrieve data.

However, someone with malicious intent could pass the following customer ID value to this method:

"1' DROP table employees --"

When this value is concatenated to your SQL statement, you get the following:

SELECT * FROM 
Orders WHERE CustomerID = '1' 
DROP table employees

Executing this SQL command completely removes the Employees table from your database! The reason this works is because a double-hyphen "--" is a comment operator in SQL that causes the final single quote to be ignored by SQL Server.

Long story short, easier isn't necessarily better. For more secure ways of building queries, use parmeterized queries, or stored procedures as discussed in the MM .NET Dev Guide Topics:

"Retrieving Data Using Parameterized Queries"
"Retrieving Data Using Stored Procedures"

Regards,

Kevin McNeish
Eight-Time .NET MVP
VFP and iOS Author, Speaker & Trainer
Oak Leaf Enterprises, Inc.
Chief Architect, MM Framework
http://www.oakleafsd.com

Map

View

Click here to load this message in the networking platform