Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Creating database in C# and SQL injection

Tags:

c#

.net

sql

sql-server

I have the following code used to create some database from C# application

SqlConnection myConnection = new SqlConnection(ConnectionString);
string myQuery = "CREATE DATABASE " + tbxDatabase.Text; //read from textbox
myConnection.Open();
SqlCommand myCommand = new SqlCommand(myQuery, myConnection);
myCommand.ExecuteNonQuery();

Now I worry if it is safe, will C# accept hacker input like "A; DROP TABLE B" or something similar? How to make it safer?

like image 632
RRM Avatar asked Feb 26 '13 15:02

RRM

People also ask

Can you create a database in C?

Creating a database application in C/C++ is a daunting task, especially for a novice programmer. Although the actually code is quite simple, it is the configuration issues such as importing right library, drivers to use, how to access them, and so forth, that make it an uphill battle.

What is a database in C?

For C projects, the database schema is specified in the eXtremeDB Data Definition Language (DDL) which identifies the database, defines each data class, its elements, its relationship to other data classes, and data access methods.

Is C good for databases?

C is used if you need absolutely predictable behavior, such as in core OS code, embedded devices, drivers, other types of system code, or often database engines (where I've used it most). C++ is more for larger projects of the sort where you may otherwise use Java but you need better performance or have legacy code.

1 Answers

Table Names and columns names cannot be parameterized but for the first line of defense, wrap the tablename with delimiter such as braces,

string myQuery = "CREATE DATABASE [" + tbxDatabase.Text + "]";

or create a user define function that checks for the value of the input, eg

private bool IsValid(string tableName)
{
    // your pseudocode
    // return somthing
}

then on your code,

if (IsValid(tbxDatabase.Text))
{
    SqlConnection myConnection = new SqlConnection(ConnectionString);
    string myQuery = "CREATE DATABASE [" + tbxDatabase.Text + "]";
    myConnection.Open();
    SqlCommand myCommand = new SqlCommand(myQuery, myConnection);
    myCommand.ExecuteNonQuery();
}
else
{
    // invalid name
}
like image 168
John Woo Avatar answered Oct 05 '22 10:10

John Woo
Sign in to Comment

Related questions

FileNotFoundException in File.AppendAllText
Flood Fill implementation
How to make an "old style" async method awaitable
How to Remove Back Slashes from JSON Response in C#?
How to disable Open file – Security warning
Is there any kind of solution to develop Blackberry Apps in C# like Mono for Android or Monotouch?
Visual Studio setup project: run CustomActions/process as current user not system account
Conversion rules for overloaded conversion operators
Entity Framework Virtual Properties
Cannot implicitly convert type 'System.Collections.Generic.IEnumerable<AnonymousType#1>' to 'System.Collections.Generic.List<modelClass> [duplicate]
Automatic code generation from a C# class to JavaScript equivalent
Reset System.Timers.Timer to prevent Elapsed event
Nested LINQ query to select 'previous' value in a list
How does one tell if a LINQ extension method is suffering from double enumeration?
How to find a group of integers(N) amongst records, that contains 6 integers
Date Time Picker Custom Format
Can we add an extra character with the minor value of the assembly version?
How delete file in localstorage on winrt?
WPF equivalent of the AccesibleName property
Windows Phone: Call an Async method in OnNavigatedTo

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!