Small background: I'm the only programmer for this company. I'm working with pre-existing frameworks.
That said, the company has a dll(Database.dll) which contains "all the database interactions I need". As in, it has a Query()
, Update()
, Insert()
, etc. Now, the project I'm writing sets a reference to Database.dll. My project accepts zero user input. The closest thing to user input is a dropdown box that the user can select a date from. Not having much experience with it, I'm curious if I still need to worry about SQL injections? And if so, would a query written like
var query = string.Format("SELECT timestamp FROM table1 WHERE date = \"{0}\"
AND measured_dist = bit_loc AND rop > 0" , Date))
be sufficient as a parameterized query? Keep in mind, all of the query execution is handled by the pre-existing Query()
that I'm told I have to use, and can't edit.
EDIT
This program is a WinForm application.
SQL injection attacks pose a serious security threat to organizations. A successful SQL injection attack can result in confidential data being deleted, lost or stolen; websites being defaced; unauthorized access to systems or accounts and, ultimately, compromise of individual machines or entire networks.
Even though this vulnerability is known for over 20 years, injections still rank number 3 in the OWASP's Top 10 for web vulnerabilities. In 2022, 1162 vulnerabilities with the type “SQL injections” have been accepted as a CVE.
SQL injection is among the top 10 open web application security project (OWASP) vulnerabilities. Applications tend to be at risk of high-profile vulnerabilities like SQL injection attacks.
As noted in comments, the answer is "always". Since it would be so easy to add a parameter to that and do it properly, rather than concatenation: just do it right first time. Also: have you considered that injection is not the only problem in the code you've shown? That code is also susceptible to localisation / internationalisation. What happens for a user who has their PC configured in a different culture? The dates and numbers will get rendered differently - and will often break. That doesn't happen with parameters. Also: names often have apostrophes in :)
Do extend on @KirkWoll's very valid comment, any time you incorporate any user input (or input from automated sources for that matter) in a SQL statement, you place your program at risk of SQL injection.
As a matter of policy, you should never, ever build your own SQL statement using any such input.
Always sanitize input and always use parameterized queries as a first line of defense against SQL injection.
In case you have not seen it before, there's a great illustration on xkcd
http://xkcd.com/327/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With