473,387 Members | 1,535 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > type safe sql parameters and update/insert of database question

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Type Safe SQL Parameters and Update/Insert of database question

Hi, I have been in the process of updating my code with security methods, and I've been learning this from http://msdn.microsoft.com/en-us/library/ms998258.aspx#pagguidelines0001_authorization (or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input".

Now, what they suggested was to use code like:

"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"

But, I was already using code like:

"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("someVal", val);"

So now, to use type safe parameters, I decided to include it like:

"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("@someVal", DbType.Int16, val);
dataSource.UpdateParameters["@someVal"].Size = 1;"

So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.

Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, this suggests that this should apply to unfiltered input. Also, in their example they only did this for an ID.

So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?

The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources? If my fears serve true, what would be a good suggestion of how I could implement this properly without having to worry about what I said?

Thanks for any help.
Feb 1 '10 #1

✓ answered by Frinavale

Always validate user-provided data before you try to update your database with it.

Type safe parameters help to prevent SQL injection from occurring but no where would Microsoft state that it should be used instead of validation. It should be used with validation.

A SQL Injection attack occurs when the user enters SQL instead of the intended input. It occurs if you create your SQL query by simply concatenating the unvalidated/unfiltered user input into a String that contains your SQL query.

For example:
Expand|Select|Wrap|Line Numbers
  1. String mySqlQuery = "SELECT * FROM AddressBook WHERE FirstName='" + txt_FirstName + "'";
Now, when you send this SQL query to the database, the database compiles it into a command. If the user input contained SQL, their SQL will also be compiled...thus allowing the user to run their own SQL queries on your database.

If you use Type Safe SQL Parameters then the input provided as the parameter is treated as a Literal as apposed to part of the SQL query. (Check out SQL Injection Attack)

You should always validate the user's input before you update your database with the data they provide. SQL Parameters just add a bit more security to the process.



-Frinny

1 4257
Frinavale
9,735 Expert Mod 8TB
Always validate user-provided data before you try to update your database with it.

Type safe parameters help to prevent SQL injection from occurring but no where would Microsoft state that it should be used instead of validation. It should be used with validation.

A SQL Injection attack occurs when the user enters SQL instead of the intended input. It occurs if you create your SQL query by simply concatenating the unvalidated/unfiltered user input into a String that contains your SQL query.

For example:
Expand|Select|Wrap|Line Numbers
  1. String mySqlQuery = "SELECT * FROM AddressBook WHERE FirstName='" + txt_FirstName + "'";
Now, when you send this SQL query to the database, the database compiles it into a command. If the user input contained SQL, their SQL will also be compiled...thus allowing the user to run their own SQL queries on your database.

If you use Type Safe SQL Parameters then the input provided as the parameter is treated as a Literal as apposed to part of the SQL query. (Check out SQL Injection Attack)

You should always validate the user's input before you update your database with the data they provide. SQL Parameters just add a bit more security to the process.



-Frinny
Feb 2 '10 #2

Sign in to post your reply or Sign up for a free account.

Similar topics

1
Data type problem, something to do with datatypeEnum??
by: Lukelrc | last post by:
Hi all. I'm having trouble connecting to my sql server database correctly beacause of value type problems, specifically the date fields. When i try and run the page i get the follwoing error: ...
ASP / Active Server Pages
16
update transmogrifies to insert/delete
by: robert | last post by:
been ruminating on the question (mostly in a 390/v7 context) of whether, and if so when, a row update becomes an insert/delete. i assume that there is a threshold on the number of columns of the...
DB2 Database
1
Data type question for OLEdb data types
by: Brian Henry | last post by:
I have an access database, and one of the fields in the table I am inserting into has a date/time data type. What is the correct OleDb data type to insert the date and time that it is at the moment...
ASP.NET
1
updating database using parameters
by: Mark | last post by:
Hi: I have an access db that I'm accessing via ASP.Net. I'm using WebMatrix's wizard to write the tedious db query code using parameters. Select, insert, and delete work fine using the database...
ASP.NET
0
An unhandled exception of type 'System.Data.OleDb.OleDbException' occurred in sy
by: NicK chlam via DotNetMonster.com | last post by:
this is the error i get System.Data.OleDb.OleDbException: Syntax error in INSERT INTO statement. at System.Data.Common.DbDataAdapter.Update(DataRow dataRows, DataTableMapping tableMapping) at...
ASP.NET
6
Pass / Store data type
by: Mike Hoff | last post by:
I am trying to write a class that will store info about database fields for building UPDATE / INSERT commands later on. I cannot seem to get the sytax correct to pass and store the data type of...
Visual Basic .NET
0
ADO Connection Open fails with error -2147467259 when MS Access database under Source Safe
by: gm | last post by:
Immediately after generating the Access application from the Source Safe project I get: "-2147467259 Could not use ''; file already in use." If Access database closed and then reopened I get:...
Microsoft Access / VBA
4
Elegant, clean and safe way of having multiple concurent parameters in a dbCommand
by: arak123 | last post by:
consider the following oversimplified and fictional code public void CreateInvoices(Invoice invoices) { IDbCommand command=Util.CreateDbCommand(); foreach(Invoice invoice in invoices) //lets...
C# / C Sharp
1
Update the values in a SQL Server Databse coulmn of type XML.
by: querry | last post by:
Hi all, I am developing a web application where I save a XML file into a SQL Server 2000 database. I do not face any problems in storing to xml file to the database. However, when a updated...
.NET Framework
1
Need help, get error "Object does not match target type" in one instanceof an app, when others work
by: =?ISO-8859-1?Q?Lasse_V=E5gs=E6ther_Karlsen?= | last post by:
I get the above error in some of the ASP.NET web applications on a server, and I need some help figuring out how to deal with it. This is a rather long post, and I hope I have enough details that...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!