tags:

views:

299

answers:

3
+1  Q: 

Build safe search conditions for SQL WHERE clause

I need to build search conditions to be used with WHERE clause. This search condition is then passed to a different application to be executed as a part of SQL query. Because there search conditions can be quite complex (including sub-queries) I don't believe receiving application can intelligently parse them to prevent SQL injection attacks.

Best practices state that parametrized queries should be used. That works fine when you use command object to execute the query yourself. In my case I wish to obtain that query string with parameters merged into it, and parse out where search clause I am interested in. Is there a way to do this?

I work with MS SQL Server and currently simply replace all single quotes with two single quotes in string I receive from a caller. Is there a better way to achieve some level of protection from SQL injection attacks?

+2  A: 

Have a look at these 2 links

Does this code prevent SQL injection?

and

Proving SQL Injection

astander  2009-12-06 15:29:01
Informative read, but unfortunately points me into direction of replacing/stripping illegal characters from the user input, as parameterization is not possible in my case.
see me no more  2009-12-06 15:56:09
I am sorry if I misunderstood, but I thought that was your intention?
astander  2009-12-06 15:58:39
I was looking for a better than "replacing quotes" way of protecting against injection attacks. Or a proof that replacing quotes will suffice. One of the answers for the second thread in your reply seems to indicate that handling quotes should be good enough. I will however, apply strict rules to my input strings, because I will know what possible value a valid string might contain.Thanks!
see me no more  2009-12-06 17:33:01
A: 

some guidelines from OWASP

ram  2009-12-06 15:38:57
+1  A: 

I think you are fine: According to the SQL Server Books Online, a solitary single quote seems to be the only way to exit a quoted string that was started with a single quote. Thus, replacing ' with '' should suffice to avoid SQL injection through string variables.

I cannot think of any way to inject SQL through other, non-string native C# data types, if they are properly (locale-invariant) converted to strings.

Nevertheless, parameterized queries are the "recommended" solution. At the moment, your application seems to be organized like this:

  1. Part A creates a WHERE statement based on user input.
  2. A string containing this WHERE statement is passed to Part B.
  3. Part B adds SELECT etc. and sends it to SQL Server.

Would it be an option to rewrite your application like this?

  1. Part A creates a parameterized WHERE statement plus a set of parameters based on user input.
  2. A string containing the WHERE statement plus a Hashtable (or something similar) containing the parameters is passed to Part B.
  3. Part B creates a command, adds SELECT etc., adds the parameters and sends it to SQL Server.

I was in a similar situation and solved it by creating a SubSQL class, which basically contains a parameterized string with the CommandText and a hash table with the parameters. You could then use this as mySubSQL.CommandText += ..., mySubSQL.Parameters("@myfield") = myValue and mySubSQL.MergeInto(myCommand) (the implementation should be obvious and straight-forward).

Heinzi  2009-12-06 16:56:56
Rewrite the application to use parameterized queries is not an option unfortunately. My .Net application has to feed queries into SugarCRM's SOAP API (written in PHP).The best I can do so far is simply be very strict with what can be passed into my code. For example if I am looking for user by email address using SOAP API I must make sure the string passed to me by caller is in fact an email address, if I am looking for a product SKU make sure it's alphanumeric etc. Thanks for the help though!
see me no more  2009-12-06 17:16:19

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?