tags:

views:

30

answers:

3
Q: 

SqlCommand-class force SELECT only?

Hi,

I'm developing a application that's for SQL-surveillance, it's just a console application that will run each 5min on a bunch of servers. It has a config file with connection string and sql query. The thing is I would like the program to accept SELECT queries only.

I colleague told me he thought I could set something in the SqlCommand-class but I've been googling for a while without any success. Anyone got a clean solution on my problem? I've thought about searching the query for different words but it's to much that can go wrong.

Any suggestions are welcome!

A: 

This isn't going to be possible unless your application builds the entire SELECT statement itself.

The issue is that even if you ensure the first word is SELECT there is nothing stopping a malicuous user terminating the command and then issuing an EXEC or UPDATE statement also.

The best solution is to ensure that the user account referenced in your connection string has limited permissions to the SQL objects and thus only SELECT from supported objects will work.

Joel Mansford  2010-09-06 10:19:57
That's what I ment by "I've thought about searching the query for different words but it's to much that can go wrong." =/
Tiax  2010-09-06 10:30:22
+1  A: 

The database table itself can be restricted.
you can revoke all permission but select from the user of your application.
search for REVOKE/GRANT commands for SQL-SERVER.

Itay  2010-09-06 10:20:13
Since the config file include the connection string the the application itself doesn't provide a user.
Tiax  2010-09-06 10:29:57
It has nothing to do with the application. This REVOKE command should run on the database itself. The application still uses a user to connect the database.
Itay  2010-09-06 10:45:09
A: 

Granting privileges would be the better way to go, but you can still parse the statement, even if its a series of SQL commands, using something like this:

bool OkToRun = true;
foreach(string s in TheQueryString.Split(";".ToCharArray(), StringSplitOptions.RemoveEmptyEntries))
    if (!s.Trim().ToUpper().StartsWith("SELECT "))
        OkToRun = false;
devio  2010-09-06 10:29:02
Agree that the granting privileges would be the best solution, but in this case the config file gives the program the user.. I'll go with your code example until I find anything better! Thanks
Tiax  2010-09-06 10:39:04
Not all SELECT queries will lead with the `SELECT` keyword e.g. those that employ a CTE.
onedaywhen  2010-09-06 11:14:25

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?