Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I securely create queries in ADO.NET where the tables being selected from change?

Tags:

c#

sql

sql-injection

ado.net

database-security

In ADO.NET you can add parameters to a command object to securely add user input to a SQL query. What is the equivalent for the other predicates common to a SQL query?

I am writing a program that is essentially a very limited O-R mapper and SQL generator (it's focused heavily around a database with meta-information and other databases that conform to that meta-data). As a result I need to be able to call stuff like:

string sql = "select " + USER_SELECTED_COLUMNS + 
            " from " + USER_SELECTED_TABLE + 
            " where " + USER_CRITERIA;

Some of it (like the criteria) is literally entered into my program by trusted users (other developers in my company), while other data is entered into my program by untrusted users (clients) through their searches, etc.

I'd like to make this program secure, and I'm aware that the above is not. Currently I have the USER_SELECTED_COLUMNS replaced with command parameters, but I've not been able to find the equivalent for the CRITERIA and TABLEs. (Or the order-by columns). Are there any ADO.NET features similar to SqlParameter that I can use for non-selection predicates?

like image 809
Chris Pfohl Avatar asked Dec 01 '25 21:12

Chris Pfohl

2 Answers

I dont think I could tell you how to avoid SQL Injection in 1 response, however, the main pointer I can give you is this:

USE WHITELISTS, NOT BLACKLISTS.

That is to say, when sanitizing the users input for USER_SELECTED_TABLE, the possible input should only be the possible tables. Equaly, the input for USER_SELECTED_COLUMNS should be limited to the possible columns for USER_SELECTED_TABLE.

like image 62
Jamiec Avatar answered Dec 04 '25 10:12

Jamiec

when you build the screens that allow the user to select the table and columns don't use the actual names. Kind of how you would have a UserID but show the UserName. Use the object_id and column_id (like form sys.tables.object_id, and sys.columns.object_id+column_id). Pas those into your procedure and build your SQL using only the numeric IDs that join to the system views:

sys.tables (Transact-SQL)
sys.columns (Transact-SQL)

you can concatenate the string table and column names, but they will come from the system views and not from the user input.

like image 43
KM. Avatar answered Dec 04 '25 09:12

KM.
Sign in to Comment

Related questions

How to overlay two images (as byte arrays)
Regex to match the first file in a rar archive file set
How can I bypass the execution of a method in a RhinoMocks mock?
What are the primary advantages of Visual Studio Team Foundation Server over the other versions? [closed]
Splitting string with string C# .net 1.1.4322
Find the distance required to navigate a list of points using linq
How do I serialize a .NET control to CODE?
how can i calculate age by datetimepicker [duplicate]
The file is busy. I can't delete it
encode html in Asp.net C# but leave tags intact
Is it possible to use ExecuteReader() twice?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!