Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does using SQL parameter binding mean text can be directly entered from input?

As the title says, if I'm using SQL parameters, ie

SQLCommand cmd = new SQLCommand("select * from users where username = @user and password = @pass limit 1", Cxn);

cmd.Parameters.Add("@user", SqlDbType.VarChar):
cmd.Parameters.Add("@pass", SqlDbType.VarChar):

Can I just enter the parameters value as the direct entry from the input?

cmd.Parameters["@user"].value = txtBxUserName.text;
cmd.Parameters["@pass"].value = txtBxPassword.text;

That's what seems to be suggested whenver you look for anything to do with escaping string etc, the end answer is to just let the parameter binding do it. But will that protect against injection attacks and the like? Or do you still need to perform some server side validation?

Coming from a heavily orientated PHP background it goes against every fibre of my body to directly enter text into a query :p

like image 637
Psytronic Avatar asked Jun 29 '26 10:06

Psytronic


2 Answers

The example you've given is safe in terms of SQL Injection. The only potential SQL Injection problem with parameterized queries is if they address a proc which itself uses dynamic SQL.

Of course, you still have to think about XSS exploits whether you're parameterizing or not.

like image 129
Yellowfog Avatar answered Jul 01 '26 23:07

Yellowfog


Yes, this is the safeties way to store data in database using .net. SQL parameter provide type checking and validation. Because they are treated as a literal value, not as an executable code, this prevents from sql injection.

like image 20
Thea Avatar answered Jul 02 '26 00:07

Thea



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!