I'm writing a select query in a C# method which lets client code provide a row ID and get back an object constructed from the row's data. If the row ID is an integer and I have confirmed it's positive, is there any harm in just passing it through using string.Format? I don't see how any damage could be done if they were only allowed to pass in an int and not a string.
+1
A:
You're answering your own question here. System.Int32 can't contain
';DROP DATABASE xxx;--
If that's what you're worried about. Even passing a negative integer would not negatively impact your database!
Andomar
2009-05-30 15:01:38
Alright. I'm relatively new at this and entirely self-taught on databases (don't worry world, I have learned all 6 normal forms), so I was worried there was some known trick where passing a certain integer could wreak havoc.
ehdv
2009-05-30 15:04:01
I would be careful about passing 666. Stuff like that is better kept secret! ;-)
Andomar
2009-05-30 15:16:26
+12
A:
You're right, it would be safe to pass an integer that way. However, there is also another side of the story.
While it can be considered as safe to just format an int an create the SQL expression, there is also a performance consideration. When the SQL server sees a query for the first time, it will create and cache the execution plan for that query. The next time the same query is issued, the execution plan will be reused.
If you pass in different strings, it will be seen as separate queries, requiring separate execution plans. If you pass in the same parameterized query each time (with differing parameters), the first execution plan will be re-used by SQL Server.
Even if you don't care about the performance benefit, I would still use a parameterized query for all queries against the database, even for those that can be considered "safe" as you point out - simply to be consistent in the way the application accesses data. If you always use the parameterized query, it also saves you the trouble of determining whether the query is safe each time in order to decide in which way to query the database.
driis
2009-05-30 15:06:26
+1 - The performance benefit as a result of properly parameterizing queries means that it doesn't make much sense to NOT paramaterize them, ever. Parameterization isn't just for SQL Injection prevention.
Aaron Alton
2009-05-30 15:19:04
+1 - the consistent pattern is to use bind arguments. we do it even in the "safe" case of a single integer, because that follows the same pattern we follow in more complex cases. (the hard parse of a single statement isn't going to have much impact on the performance of a single statement, its the thousands of hard parses per second that impacts scalability)
spencer7593
2009-05-30 15:29:45