Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

When to worry about SQL injection protection

Tags:

c#

sql

Small background: I'm the only programmer for this company. I'm working with pre-existing frameworks.

That said, the company has a dll(Database.dll) which contains "all the database interactions I need". As in, it has a Query(), Update(), Insert(), etc. Now, the project I'm writing sets a reference to Database.dll. My project accepts zero user input. The closest thing to user input is a dropdown box that the user can select a date from. Not having much experience with it, I'm curious if I still need to worry about SQL injections? And if so, would a query written like

var query = string.Format("SELECT timestamp FROM table1 WHERE date = \"{0}\" 
                           AND measured_dist = bit_loc AND rop > 0" , Date))

be sufficient as a parameterized query? Keep in mind, all of the query execution is handled by the pre-existing Query() that I'm told I have to use, and can't edit.

EDIT

This program is a WinForm application.

like image 282
PiousVenom Avatar asked Jan 16 '13 21:01

PiousVenom


People also ask

Why is it important to worry about SQL injections?

SQL injection attacks pose a serious security threat to organizations. A successful SQL injection attack can result in confidential data being deleted, lost or stolen; websites being defaced; unauthorized access to systems or accounts and, ultimately, compromise of individual machines or entire networks.

How common are SQL injection vulnerabilities?

Even though this vulnerability is known for over 20 years, injections still rank number 3 in the OWASP's Top 10 for web vulnerabilities. In 2022, 1162 vulnerabilities with the type “SQL injections” have been accepted as a CVE.

Is SQL injection high risk?

SQL injection is among the top 10 open web application security project (OWASP) vulnerabilities. Applications tend to be at risk of high-profile vulnerabilities like SQL injection attacks.


2 Answers

As noted in comments, the answer is "always". Since it would be so easy to add a parameter to that and do it properly, rather than concatenation: just do it right first time. Also: have you considered that injection is not the only problem in the code you've shown? That code is also susceptible to localisation / internationalisation. What happens for a user who has their PC configured in a different culture? The dates and numbers will get rendered differently - and will often break. That doesn't happen with parameters. Also: names often have apostrophes in :)

like image 126
Marc Gravell Avatar answered Oct 06 '22 04:10

Marc Gravell


Do extend on @KirkWoll's very valid comment, any time you incorporate any user input (or input from automated sources for that matter) in a SQL statement, you place your program at risk of SQL injection.

As a matter of policy, you should never, ever build your own SQL statement using any such input.

Always sanitize input and always use parameterized queries as a first line of defense against SQL injection.

In case you have not seen it before, there's a great illustration on xkcd

http://xkcd.com/327/

like image 24
Eric J. Avatar answered Oct 06 '22 05:10

Eric J.