Last post Mar 15, 2019 09:22 AM by PatriceSc
Mar 15, 2019 08:56 AM|demoninside9|LINK
I always use parameterized query for my CRUD operations like below to prevent SQL Injection.
Update tbluser Set Username =@Username.... so on// some code goes herecommand.Parameters.AddWithValue("@Username", txtUsername.Text);
That works fine.
Actually I was in a conversation on "SQL Injection". And I found that some one is saying we can have a shortcut method for SQL Injection, even we don't need do parameterized query.
[And he was using CRUD operation like below]
Update tbluser Set Username ='"+txtUsername.Text+"'.... so on
I was shocked that what is that. Then I asked him, how can we achieve this without using parameterized query? He said we can set this in its own webconfig file (with inline query ). After that conversation ends.
I get back to my place and tried to find out some way to by pass parameterized query using webconfig file with inline query. But unfortunately I did not find.
Did anybody use that webconfig method? Or is there any setting regarding parameterized query in webconfig which can handle SQL Injection for whole web application.
Please give your inputs / suggestions.
Mar 15, 2019 09:22 AM|PatriceSc|LINK
The only thing I can think of is https://www.owasp.org/index.php/ASP.NET_Request_Validation which strictly speaking is unrelated to SQL injection (though a customized version could
also add SQL filtering ?)
IMHO there is no valid reason for NOT using SQL parameters. For example this kind of code prevents the use of a ' character in the string (you need anyway to pass all values through your own function to properly format them).
If your concern is that it's a bit more verbose, you could hide this behind a thin API so that you can write things such as (this is what EF does when you want to go back to raw SQL queries) :
ExecuteSqlCommand("UPDATE tlbUser SET UserName=@p0 etc...",txtUserName.Text,Email.Text,UserId) for example...