tags:

views:

68

answers:

2
+1  Q: 

check select statement is valid or not in c#.net

i want to check select statement(string) is valid or not in c#.net, if select statement is right then retrieve data and fill dropdown list box else drop down should be empty

+2  A: 

How often would the select statement be invalid? Seems like a simple try/catch block around the execution of the SQL might be sufficient.

As an aside, I hope you aren't making an app that would allow someone to type in arbitrary SQL into a box which you would then execute...

Eric Petroelje  2010-06-02 13:20:43
There can be a situation where just executing the SQL and handling errors is not safe - suppose you are not fully in control of the SQL that's being executed. In this scenario, if the SQL is something very bad (say a TRUNCATE TABLE statement), then an error may not be thrown but it would have executed the malicious statement. Hence, I think it's safest in this scenario to follow the steps outlined in my answer.
AdaTheDev  2010-06-02 13:55:14
@AdaTheDev - Exactly, which was why I had my comment about allowing someone to type in arbitrary SQL. Very dangerous.
Eric Petroelje  2010-06-02 14:47:16
+2  A: 

One approach which covers most scenarios is to execute the SQL with SET FMTONLY ON

e.g.

SET FMTONLY ON;
SELECT SomeField FROM ExampleQuery

From BOL, SET FMTONLY :

Returns only metadata to the client. Can be used to test the format of the response without actually running the query.query.

That will error if the query is invalid. You can also check the result to determine what the schema of the resultset that is returned would be (i.e. no schema = not a SELECT statement).

Update: In general terms when dealing with SQL that you want to protect against SQL injection there are other things you should be thinking about:

  1. Avoid dynamic sql (concatenating user-entered values into an SQL string to be executed). Use parameterised SQL instead.

  2. Encapsulate the query as a nested query. e.g.

    SELECT * FROM (SELECT Something FROM ADynamicQueryThatsBeenGenerated) x

So if the query contains multiple commands, this would result in an error. i.e. this would result in an invalid query when encapsulated as a nested query:

SELECT SomethingFrom FROM MyTable;TRUNCATE TABLE MyTable
AdaTheDev  2010-06-02 13:27:58
`SELECT SomethingFrom FROM MyTable);TRUNCATE TABLE MyTable;--`
SLaks  2010-06-02 17:04:03

related questions

Is there a "poor man's" alternative to RedGate for scripting out entire database schema?
My SQL Server 2000 Transaction Log Size Seems Small
Is there a way to script diagrams in SQL 2000 (or save them another way)?
Programatically renaming a table in SQL Server 2000 - is sp_rename the only solution?
I am getting a "fatal error 7987" error from SQL Server 2000
SQL Server 2000 and System.Transactions.TransactionScope()
Why should I upgrade from SQL2000 to SQL2005?
Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?
Passing timestamp parameters in SQLAnalyzer to debug stored procedures
Linked Server Performance and options
SQL Server 2005: Importing data from SQL Server 2000
How do I perform a case-sensitive search and replace in SQL 2000/2005?
Warm Backup
Benefits of SQL Server 2005 over 2000
How can I create a human-readable script for every DTS package on a SQL server?
Deleting Rows from a SQL Table marked for Replication
In what situations would you get different users seeing different rows in a table on SQL Server?
Date object last modified
Improving SQL Server performance on VMware under Linux
The log file for database is full.
SQL Server 2000 - Debugging Deadlocks
Strategy for identifying unused tables in SQL Server 2000?
In SQL Server 2000, is there a sysobjects query that will retrieve user views and not system views?
Upgrading Sharepoint 3.0 to SQL 2005 Backend?
How do you deal with transport-level errors in SqlConnection?