SQL Injection in FROM clause with SqlBuilder [closed]

Question

We have a SQL statement that uses the SqlBuilder set the table name in the from clause. The database is SQL Server 2008 and up.

var sqlBuilder = new SqlBuilder();

sqlBuilder.Select("*").From(tableName);
sqlBuilder.Where("...");

Connection.BuilderQuery<dynamic>(sqlBulder).Select(Map);

I am wondering if this is a SQL injection risk? and how can I mitigate that risk? Or does the SqlBuilder take care of these things?

Could I mitigate the risk simply by wrapping the table name in square brackets? e.g.

sqlBuilder.From("[" + tableName + "]");

Also it would be most appreciated if someone could provide some examples of a SQL injection attack in the FROM clause so that I can understand how it works and create tests.

Answer 1

I don't know what SqlBuilder is, but here's an example of exploiting an injection: Suppose you have a code that does:

var myFullQuery = string.Format("SELECT * FROM {0} WHERE A = 1", externalInput);

and then executes this against the database. If a malicious user sent this string as an input: ValidTableName; DELETE FROM ValidTableName; SELECT * FROM ValidTableName

the myFullQuery variable would be set to: SELECT * FROM ValidTableName; DELETE FROM ValidTableName; SELECT * FROM ValidTableName WHERE A = 1 and you've lost you entire table... Obviously much more devestating commands can be implemented this way...