Inserting into DB with parameters safe from SQL injection?

c# .net asp.net sql sql-injection

12,124

Solution 1

Your code is fine, it is protected from injection because the values are passed as parameters not string literals. However, if you are writing this type of data access yourself, have you considered creating SqlParameter objects and explicitly setting the type, size etc, and adding the parameters to the command? AddWithValue will work just fine, but SQL Server will have to determine the type, a little, but unnecessary overhead.

Solution 2

Well, you could always try to inject a SQL statement into the textbox, that will probably give you a quicker, definite answer.

Solution 3

Yes, that's reasonably safe. So long as you don't use "sanitized" variables from a prepared statement to generate dynamic sql later, you're usually ok. The fact that you're using a prepared statement will take care of dealing with escape characters and other simple methods of injection.

I wouldn't forgo any other validation though...

12,124

Termiux

My name is Jorge Moreno, Im a IT professional (or would like to think Im =P ). I’ve worked as a web developer, system administrator and tech support. I just got my bachelor degree but I’ve been in love with my computers since I got my first one. I specially love system administration but I like writing code too. Im very interested in IT Security, penetration testing and those involved.

Updated on May 24, 2022

Comments

Termiux about 2 years

I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well I'm using them but I want to be sure my code is safe, is it?

        using ( SqlConnection dataConnection = new SqlConnection(myConnectionString) )
        {
            using ( SqlCommand dataCommand = dataConnection.CreateCommand() )
            {
                dataCommand.CommandText = "INSERT INTO Lines (Name, CreationTime) " +
                    "VALUES (@LineName, @CurrentDateTime)";

                dataCommand.Parameters.AddWithValue("@LineName", TextBox2.Text);
                dataCommand.Parameters.AddWithValue("@CurrentDateTime", DateTime.Now.ToString());
                dataConnection.Open();
                //do other DB stuff

I chop the last part to make the post shorter, the rest is just trying and catching exceptions and closing db connection as well as providing user feedback on inserting successful.

Termiux over 13 years

I had, but I didnt knew that it will be a little better in the perfomance part if I did, guess I will be doing that now. U think that is still necessary to use the RegExp validator?
Termiux over 13 years

Like what? besides checking for empty fields, should I check for anything else?
Pete M over 13 years

What kind of input do you expect to receive? Check for anything that doesn't make sense. I'm a big fan of client side AND server side validation THEN using parameterized/prepared statements. If nothing else I'd like to see when people are trying to give me garbage, even if it's unlikely they'll be successful.
Ta01 over 13 years

A Regex Validator for the user input that will be passed as parameters?