Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sql Injection Attacks and Subsonic

If I use SubSonic to create DAL for my web project do I need to worry about preventing SQL Injection Attacks?

like image 244
TheVillageIdiot Avatar asked Jul 14 '26 15:07

TheVillageIdiot


1 Answers

This depends on how you construct your queries. It is totally possible to write unsafe queries with subsonic if you don't use parameters.

// Bad example:

string sql = "delete from Products where ProductName = " + rawUserInput;
QueryCommand qry = new QueryCommand(sql, Product.Schema.Provider.Name);
DataService.ExecuteQuery(qry);

// Should be:

string sql = "delete from Products where ProductName = @TargetName";
QueryCommand qry = new QueryCommand(sql, Product.Schema.Provider.Name);
qry.AddParamter("@TargetName", rawUserInput, DbType.String);
DataService.ExecuteQuery(qry);
like image 173
P a u l Avatar answered Jul 16 '26 09:07

P a u l



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!