Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does using parameterized SqlCommand make my program immune to SQL injection?

Tags:

c#

.net

security

sql

sql-injection

I'm aware that SQL injection is rather dangerous. Now in my C# code I compose parameterized queries with SqlCommand class:

SqlCommand command = ...; command.CommandText = "SELECT * FROM Jobs WHERE JobId = @JobId;"; command.Parameters.Add("@JobId", SqlDbType.UniqueIdentifier ).Value = actualGuid; command.ExecuteNonQuery();

Will this automatically make my code immune to SQL injection? Do I have to do something extra?

like image 803
sharptooth Avatar asked Aug 24 '11 11:08

sharptooth

People also ask

Do parameterized queries prevent SQL injection?

Correct usage of parameterized queries provides very strong, but not impenetrable, protection against SQL injection attacks.

Is parameterized SQL safe?

A driver allows an application to construct and run SQL statements against a database, extracting and manipulating data as needed. Parameterized statements make sure that the parameters (i.e. inputs) passed into SQL statements are treated in a safe manner.

What helps preventing SQL injection?

How to Prevent an SQL Injection. The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

What is parameterized SQL query?

Parameterized SQL queries allow you to place parameters in an SQL query instead of a constant value. A parameter takes a value only when the query is executed, which allows the query to be reused with different values and for different purposes.

1 Answers

I'd say for your particular, and probably canonical, example for parametrized queries, yes it is sufficient.

However, people sometimes write code like this

cmd.CommandText = string.Format("SELECT * FROM {0} WHERE col = @col;", tableName); cmd.Parameters.Add("@col", ...);

because there is simply no way to pass the tablename itself as a parameter and the desire to do exists sometimes - misguided or not. It seems it is then often overlooked, that tableName (unless maybe only read from a set of static/constant values that do not derive from any input) indeed allows for SQL injection.

like image 58
Christian.K Avatar answered Sep 25 '22 01:09

Christian.K
Sign in to Comment

Related questions

Why float.Epsilon and not zero?
Using Profiles in Automapper to map the same types with different logic
Is there a TimePicker control in WPF (.NET 4)?
Host vs DnsSafeHost
C# Interpreter (without compilation) [closed]
Can I get parameter names/values procedurally from the currently executing function?
ILMerge DLL: Assembly not merged in correctly, still listed as an external reference
Entity Framework - Migrations - Code First - Seeding per Migration
Format decimal to two places or a whole number
How to add an extra button to the window's title bar?
In memory database in .net [closed]
Graph API - Insufficient privileges to complete the operation
PropertyChanged event always null
How to start a new process without administrator privileges from a process with administrator privileges?
What is the difference between Host and WebHost class in asp.net core
Robust Random Number Generation [closed]
Why isn't there a SelectedNodeChanged event for Windows.Forms.TreeView?
How can I programmatically check-out an item for edit in TFS?
What is the purpose of FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters) inside Global.asax [closed]
Avoiding the overhead of C# virtual calls

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!