Hi,
I have a question on sql injection attacks. I am building a tool that
will be used exclusively by our other developers and will generate
stored procs for them dynamically based off input from them. I wanted
to add a "parser" functionality where based off the table and where
clause they choose, the app will parse the query to see if it's valid.
So I'm building a query something like this to run:
SELECT TOP 1 *
FROM [Database].[dbo].[Table] --(Database and table are determined
by user)
WHERE CLAUSE
I won't know what the where clause is, the user can put in pretty much
anything (thus the reason for the parser).
So, I've got it working but now am looking at my code. The call to the
database is done in a DLL and not in my app and thus needs to be
exposed as a public method. I do this with a lot of the code for this
app in case we decide to make the app a Web UI (right now it's a
Windows UI).
Since, it's a public method, it's technically feasible anything can
call it if they reference the DLL. The query I built above is passed
to this DLL, so if someone else used it, it would be possible to use a
sql injection attack on this method.
So my question is, if I wanted to build some code to prevent a sql
injection attack, what kind of rules would I check for? I know some of
the basics, but am not sure of everything to check for.
If it gets too complicated I may just pull this logic out altogether.
I thought it would be a helpful feature but the more I think about the
less I'm sure.
I have a question on sql injection attacks. I am building a tool that
will be used exclusively by our other developers and will generate
stored procs for them dynamically based off input from them. I wanted
to add a "parser" functionality where based off the table and where
clause they choose, the app will parse the query to see if it's valid.
So I'm building a query something like this to run:
SELECT TOP 1 *
FROM [Database].[dbo].[Table] --(Database and table are determined
by user)
WHERE CLAUSE
I won't know what the where clause is, the user can put in pretty much
anything (thus the reason for the parser).
So, I've got it working but now am looking at my code. The call to the
database is done in a DLL and not in my app and thus needs to be
exposed as a public method. I do this with a lot of the code for this
app in case we decide to make the app a Web UI (right now it's a
Windows UI).
Since, it's a public method, it's technically feasible anything can
call it if they reference the DLL. The query I built above is passed
to this DLL, so if someone else used it, it would be possible to use a
sql injection attack on this method.
So my question is, if I wanted to build some code to prevent a sql
injection attack, what kind of rules would I check for? I know some of
the basics, but am not sure of everything to check for.
If it gets too complicated I may just pull this logic out altogether.
I thought it would be a helpful feature but the more I think about the
less I'm sure.
Comment