tags:

views:

204

answers:

1
Q: 

Escape SQL Parameter

I need to work around an NHibernate bug I reported here. Essentially, NHibernate will generate multiple SQL parameters for the same HQL parameter, which results in problems for queries that use a parameter in a grouping construct.

Until the bug is fixed, I figured I'd just concatenate the parameter into the HQL. Obviously this is susceptible to SQL injection unless I escape the parameter value (since it's HQL, I can't use regular ADO.NET parameters).

Is there a method within System.Data somewhere that will escape a parameter value, making it safe to concatenate into a SQL string? I'm using SQL Server 2005, and I'm happy to do something specific to that platform for the short term until the NHibernate bug is fixed.

Thanks, Kent

+1  A: 

To my knowledge there is nothing available for you to use (something similar to the Oracle DBMS_ASSERT library would work if it were available in Sql Server). One thing you could do that would protect you would be to simply check your parameter value (i.e. what you are going to concatenate) for any whitespace at all and throw an exception if it includes it - this should protect you against anything destructive in terms of injection. Naturally, this will only be a viable solution if you are concatenating a parameter that doesn't require the ability to find values that actually do contain whitespace, however I would think that would be a limited scenario.

chadhoc  2009-12-10 17:20:01
Alas, that is exactly my scenario. It's basically a category name that I'm matching against, which can include whitespace. At worst I will be checking for quotes and throwing if there are any in the parameter value.
Kent Boogaart  2009-12-10 17:27:55
Ha, figures that would be the case. If you read through this other SO thread (here: http://stackoverflow.com/questions/1800013/does-this-code-prevent-sql-injection), it provides some pretty good code that will protect against a vast majority of things, but you'll almost always be susceptible to non-printable key attacks (i.e. backspacing).
chadhoc  2009-12-10 19:54:52
Cool - thanks. For now I've added a very restrictive check to ensure the input matches a regex of `@"^[A-Za-z\:\, ]*$"`. If not, an exception is thrown.
Kent Boogaart  2009-12-11 09:36:09

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?