tags:

views:

308

answers:

2
+1  Q: 

escape apostrophes in Linq based stored procedure calls when SP contains dynamic SQL

Hi guys,

I noticed the following:

An ASP.NET MVC website under development gets an SQL error "Unclosed quotation mark ..." when it makes a LINQ call to a stored procedure that contains dynamic SQL.

For example:

SP GetEmployees called with parameter [filter_name] that has value [n'for] throws this error

I can fix the problem by doing a .replace("'", "''") like this:

[Function(Name = "dbo.GetEmployees")]
public ISingleResult<EmployeeRow> GetEmployees(
            [Parameter(DbType = "NVarChar(MAX)")] string filter_name)
{
    IExecuteResult result = this.ExecuteMethodCall(this, ((MethodInfo)(MethodInfo.GetCurrentMethod())), filter_name.Replace("'", "''"));
    return ((ISingleResult<EmployeeRow>)(result.ReturnValue));
}

Now, I don't feel like going trough all my SPs and doing this manually. Is there a way to make this a general rule that should be applied to all Linq SP calls I have now and will make in the future?

Also, is there something else I should be escaping to prevent SQL injection attacks?

EDIT:

Added question: Will this give problems with SPs that dont include dynamic sql? I mean, when I add that name in the database, will it be stored as [n''for]? I just realized this will probably be the case and then I'll have to do in manually anyway

A: 

I'm going to give a (possible) answer here to my own question. (let me know in comments if you agree)

It seems more correct that this should be handled inside the SP. The application should not have to worry about wether a certain SP contains dynamic sql or not.

Thomas Stock  2009-07-31 09:48:49
+1  A: 

I suggest you move away from dynamic SQL, as that's the root of the problem. (I know this might cause lots of other issues though, and might not be possible.)

Unless you can guarantee that the dynamic SQL you're building is safe, (so you control this logic internally, with nothing being passed through from the user), it's going to be a problem.

What would happen if filter_name contained a \' or --?

Bravax  2009-07-31 09:48:54
I can't move away from dynamic SQL as it is needed in this scenario (the SP uses a lot of (optional) parameters and is quite complex) and I don't make the SPs. But thanks a lot for your advice.
Thomas Stock  2009-07-31 09:51:53

related questions

Is LINQ to SQL InsertOnSubmit() subject to SQL Injection Attack?
How Can I test my web site for SQL injection attacks?
Storing parts of user data in files for preventing SQL injection
HTTP input filter like mod_security for WebSphere?
Does LINQ's ExecuteCommand provide protection from SQL injection attacks?
Dynamic SQL - Search Query - Variable Number of Keywords
Classic ASP SQL Injection Protection
Comprehensive server-side validation
Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?
Are PDO prepared statements sufficient to prevent SQL injection?
What's the best method for sanitizing user input with PHP?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
Parameterized SQL Columns?
Handling the data in an IN clause, with SQL parameters?
What should you do when coming across a publicly accessible security vulnerability?
binding variables to parameters in ADOdb for PHP
Penetration testing tools
Is there some way to inject SQL even if the ' character is deleted?
How do I programatically sanitise coldfusion cfquery parameters.
Best way to stop SQL Injection in PHP
Inform potential clients about security vulnerabilities?
When is it Best to Sanitize User Input?
What is the best way to avoid SQL injection attacks?
Catching SQL Injection and other Malicious Web Requests