473,699 Members | 2,656 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Including BLOB vaules in INSERT SQL

Hi all

I want to do "INSERT INTO Table (Blob) Values('blobdat aasstring')".

...rather than using the parameter driven method, is it possible? And if so
what encoder do I use to convert the bytes to string format?

Thanks
Kev

Feb 7 '06 #1
7 3498
Kevin,

Why on earth would not want to use the parameter? The parameter will
not only do the work for you, but it will also prevent SQL injection
attacks.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"Kevin Lawrence" <sp******@spam. com> wrote in message
news:3a******** *************** ***@news.rmplc. co.uk...
Hi all

I want to do "INSERT INTO Table (Blob) Values('blobdat aasstring')".

..rather than using the parameter driven method, is it possible? And if so
what encoder do I use to convert the bytes to string format?

Thanks
Kev

Feb 7 '06 #2
> Kevin,

Why on earth would not want to use the parameter? The parameter
will not only do the work for you, but it will also prevent SQL
injection attacks.
Because our SQL is generated on the fly, there's no possible chance of injection
attacks.

Is it possible or am I forced to use the parameter?

Thanks
Kev

"Kevin Lawrence" <sp******@spam. com> wrote in message
news:3a******** *************** ***@news.rmplc. co.uk...
Hi all

I want to do "INSERT INTO Table (Blob) Values('blobdat aasstring')".

..rather than using the parameter driven method, is it possible? And
if so what encoder do I use to convert the bytes to string format?

Thanks
Kev

Feb 7 '06 #3
Kevin,

Use the parameter. Even if your SQL is produced on the fly, there is no
reason you can't place the parameter marker in the SQL, and then create the
parameter in the query.

And you should be able to do this easily as well, because you have to
have access to the value that you will place in the blob field, and
therefore, can set the value for the parameter. Unless, of course, you
don't know the types of the field, but you would have to do know this as
well, if you are generating the sql dynamically.

Also, the statement that your SQL being generated on the fly making it
impossible for injection attacks to occur is totally false. If anything,
you are more open to injection attacks as a result. The reason for this is
that writing the values out in SQL statement format is a HUGE security gap,
which is exactly what you are doing.

Use the parameters. You will reduce your codebase (because you won't
have to write code to convert values to SQL representations ), make it more
maintainable (because the codebase is smaller), and make it more secure in
the process (using parameters virtually eliminates the ability to conduct
injection attacks).

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m
"Kevin Lawrence" <sp******@spam. com> wrote in message
news:3a******** *************** ***@news.rmplc. co.uk...
Kevin,

Why on earth would not want to use the parameter? The parameter
will not only do the work for you, but it will also prevent SQL
injection attacks.


Because our SQL is generated on the fly, there's no possible chance of
injection attacks.

Is it possible or am I forced to use the parameter?

Thanks
Kev

"Kevin Lawrence" <sp******@spam. com> wrote in message
news:3a******** *************** ***@news.rmplc. co.uk...
Hi all

I want to do "INSERT INTO Table (Blob) Values('blobdat aasstring')".

..rather than using the parameter driven method, is it possible? And
if so what encoder do I use to convert the bytes to string format?

Thanks
Kev


Feb 7 '06 #4
> Kevin,

Use the parameter. Even if your SQL is produced on the fly, there
is no reason you can't place the parameter marker in the SQL, and then
create the parameter in the query.

And you should be able to do this easily as well, because you have
to have access to the value that you will place in the blob field, and
therefore, can set the value for the parameter. Unless, of course,
you don't know the types of the field, but you would have to do know
this as well, if you are generating the sql dynamically.

Also, the statement that your SQL being generated on the fly
making it impossible for injection attacks to occur is totally false.
If anything, you are more open to injection attacks as a result. The
reason for this is that writing the values out in SQL statement format
is a HUGE security gap, which is exactly what you are doing.

Use the parameters. You will reduce your codebase (because you
won't have to write code to convert values to SQL representations ),
make it more maintainable (because the codebase is smaller), and make
it more secure in the process (using parameters virtually eliminates
the ability to conduct injection attacks).


We have already written a framework that stores businessobjects into the
database, this framework contains SQL generation by default, all I am doing
is expanding it to except types of byte[] and convert them into string representations .

It's going to be a hell of a lot more work to re-work the framework and change
it's SQL generation rather than adapting what is there already, all I really
want to know is - is it possible?

Can you give an example of an injection attack and how it might ultimately
cause me a problem?

Thanks
Kev
Feb 7 '06 #5
Kevin,

You don't have to change that much at all, actually.

Somewhere in your framework, you are taking values from objects and
inserting them into tables (or updating existing values). Somewhere in your
framework, you have the type of the column in the table which you are
converting the value to (you have to have this somewhere, or are doing a
mapping from the .NET type to the SQL type. Either way, you know something
about the schema of the column that you are updating/inserting into).

Now, with this, you create your SQL. Say you have a string value as a
property on an object which goes in a table. You do something along the
lines of this:

// The sql string.
string sql = "insert into MyTable ([Property]) values ('" +
myObject.String Value + "')";

And then you place it in a command, and do this:

// The command.
SqlCommand command = new SqlCommand(sql, connection);

// Execute.
command.Execute NonQuery();

Now, say the value of the StringValue was this:

'); drop database MyDatabase; select ('

That would turn your SQL statement into:

insert into MyTable ([Property]) values (''); drop database MyDatabase;
select ('')

Then, when you call ExecuteNonQuery , your database is dropped. Of
course, this is a little bit of an outlandish example, since you should set
security appropriately so the logged in user doesn't have these rights. The
problem also exists for anything such as tables, columns (you can issue
alter table statements), etc, etc. Basically, ANY code can be injected into
your process this way.

Now, if you used parameters, the parameters/command take care of
formatting the values correctly so that the string passed in will be
formatted correctly (quotes become two quotes, indicating an escape for the
quote, etc, etc) and an injection attack will not occur.

So, in your case, instead of doing what you are doing, as you cycle
through the values (you are iterating through a schema of some kind, and
generating your statements based on the columns of the table), you could do
this:

// Create the command, as it will have to have parameters added to it.
SqlCommand command = new SqlCommand();
command.Connect ion = connection;

// Create the SQL string.
string sql = "insert into MyTable ([Property]) values (@stringValue)" ;

// Create the parameter.
SqlParameter parameter = new SqlParameter("@ stringValue", SqlDbType.Char,
50);

// Set the value.
parameter.Value = myObject.String Value;

// Add the parameter.
command.Paramet ers.Add(paramet er);

// Execute.
command.Execute NonQuery();

Of course, your code will differ, but it's not that big of a deal if you
have the schema information already (which you have), and the value (which
you have).

And yes, you can convert the byte array to a string. I believe that you
have to get the hex value of each byte in the array and create a string from
that. Forgetting the security issues with injection attacks, why bother
writing the code to do it when it is already there for you?

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m

"Kevin Lawrence" <sp******@spam. com> wrote in message
news:3a******** *************** ***@news.rmplc. co.uk...
Kevin,

Use the parameter. Even if your SQL is produced on the fly, there
is no reason you can't place the parameter marker in the SQL, and then
create the parameter in the query.

And you should be able to do this easily as well, because you have
to have access to the value that you will place in the blob field, and
therefore, can set the value for the parameter. Unless, of course,
you don't know the types of the field, but you would have to do know
this as well, if you are generating the sql dynamically.

Also, the statement that your SQL being generated on the fly
making it impossible for injection attacks to occur is totally false.
If anything, you are more open to injection attacks as a result. The
reason for this is that writing the values out in SQL statement format
is a HUGE security gap, which is exactly what you are doing.

Use the parameters. You will reduce your codebase (because you
won't have to write code to convert values to SQL representations ),
make it more maintainable (because the codebase is smaller), and make
it more secure in the process (using parameters virtually eliminates
the ability to conduct injection attacks).


We have already written a framework that stores businessobjects into the
database, this framework contains SQL generation by default, all I am
doing is expanding it to except types of byte[] and convert them into
string representations .

It's going to be a hell of a lot more work to re-work the framework and
change it's SQL generation rather than adapting what is there already, all
I really want to know is - is it possible?

Can you give an example of an injection attack and how it might ultimately
cause me a problem?

Thanks
Kev

Feb 7 '06 #6
> We have already written a framework that stores businessobjects into the
database, this framework contains SQL generation by default, all I am doing
is expanding it to except types of byte[] and convert them into string representations .


Why on earth would you convert the byte[] to string representations
before inserting them? That right there is argument enough to use
parameters.

Feb 7 '06 #7
> Kevin,

You don't have to change that much at all, actually.

Somewhere in your framework, you are taking values from objects
and inserting them into tables (or updating existing values).
Somewhere in your framework, you have the type of the column in the
table which you are converting the value to (you have to have this
somewhere, or are doing a mapping from the .NET type to the SQL type.
Either way, you know something about the schema of the column that you
are updating/inserting into).

Now, with this, you create your SQL. Say you have a string value
as a property on an object which goes in a table. You do something
along the lines of this:

// The sql string.
string sql = "insert into MyTable ([Property]) values ('" +
myObject.String Value + "')";
And then you place it in a command, and do this:

// The command.
SqlCommand command = new SqlCommand(sql, connection);
// Execute.
command.Execute NonQuery();
Now, say the value of the StringValue was this:

'); drop database MyDatabase; select ('

That would turn your SQL statement into:

insert into MyTable ([Property]) values (''); drop database
MyDatabase; select ('')

Then, when you call ExecuteNonQuery , your database is dropped. Of
course, this is a little bit of an outlandish example, since you
should set security appropriately so the logged in user doesn't have
these rights. The problem also exists for anything such as tables,
columns (you can issue alter table statements), etc, etc. Basically,
ANY code can be injected into your process this way.

Now, if you used parameters, the parameters/command take care of
formatting the values correctly so that the string passed in will be
formatted correctly (quotes become two quotes, indicating an escape
for the quote, etc, etc) and an injection attack will not occur.

So, in your case, instead of doing what you are doing, as you
cycle through the values (you are iterating through a schema of some
kind, and generating your statements based on the columns of the
table), you could do this:

// Create the command, as it will have to have parameters added to it.
SqlCommand command = new SqlCommand();
command.Connect ion = connection;
// Create the SQL string.
string sql = "insert into MyTable ([Property]) values (@stringValue)" ;
// Create the parameter.
SqlParameter parameter = new SqlParameter("@ stringValue",
SqlDbType.Char,
50);
// Set the value.
parameter.Value = myObject.String Value;
// Add the parameter.
command.Paramet ers.Add(paramet er);
// Execute.
command.Execute NonQuery();
Of course, your code will differ, but it's not that big of a deal
if you have the schema information already (which you have), and the
value (which you have).

And yes, you can convert the byte array to a string. I believe
that you have to get the hex value of each byte in the array and
create a string from that. Forgetting the security issues with
injection attacks, why bother writing the code to do it when it is
already there for you?


Thanks for that - however I am already preventing injection attacks by escaping
the ' using '', so I don't really think there's much risk - plus of course
like you say the permissions in the database prevent anything serious from
happening.

How will performance be affected using parameterised queries? What if I have
50 INSERT's to perform, normally I would have each INSERT in a string list
- join them up with ; and then execute the lot in a batch, how will this
differ with p queries?

Thanks
Kev
Feb 14 '06 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
7
7096
Reading from a blob or a file which is better?
by: John | last post by:
I have over 5000 thumbnail pictures of size 5kb each. I would like to able to load all 5000 pictures and view 50 per page using mysql_data_seek(). I would like to know what are the advantages and disadvantages of using a MySQL blob field rather than reading the images directly from the file? How does one insert an image into a blob field? Can it be done dynamically? Thank you John
PHP
0
2321
Problem nserting BLOB data
by: Mark Fisher | last post by:
I cannot seem to store binary data as a BLOB. I used the following to create a table capable of holding a BLOB: CREATE TABLE blob_table ( id INT UNSIGNED NOT NULL AUTO_INCREMENT, binary_stuff BLOB, PRIMARY KEY (id) );
MySQL Database
2
6872
Bulk Insert of Blob data type in Oracle
by: Niraj | last post by:
Hi, I am trying to do bulk insert of binary data (array of bytes) in an Oracle table. The data type of the table is BLOB. I am using Oracle Objects for OLE (OO4O) in C++. The binary data that I have to insert is in the form of byte array. My problem is that the bulk inserts happen only as long as the length of array is less than 4K. Any data more than 4K gets truncated. Is it possible to do bulk inserts in a BLOB field with data more...
C / C++
15
12335
psql and blob
by: Daniel Schuchardt | last post by:
Hi @ all, i'm sure there was a psql-function to transfere my Blob-Data to the server but I can't remember. I have a script like this : UPDATE xy SET z = lo_import('localpath_and_file'); but i want to execute this script from the client and so my blob-data is
PostgreSQL Database
0
3137
Retrieving VBA-DAO inserted Blob Data in Access via ADO.Net-C#
by: Paul Kennedy | last post by:
I have a situation where I am utilizing code from MSDN to insert XLS files into a Microsoft Access Table in a column of Ole Object using VBA and DAO. That code also provides me with a method to extract the XLS files later. This works wonderfully. The Article is 103257, ACC: Reading, Storing, & Writing Binary Large Objects (BLOBs) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/oledb/htm/oledbaccessing_blob_data.asp I...
C# / C Sharp
11
23019
Using C# to insert blob into Oracle
by: Chris Fink | last post by:
I have setup an Oracle table which contains a blob field. How do I insert data into this field using C# and ADO.net?
C# / C Sharp
1
16282
How to simply insert or update to a BLOB column using data from file
by: shallowpool | last post by:
Can someone provide me the simple syntax necessary to insert or update to a row containing a single BLOB column, where the BLOB data will be obtained from a file? This is on a linux installation. The table has 2 INTs and 1 BLOB column. So, I've scoured various docs and such, and the closest I've come up with is some sort of animal that looks like this: db2 load from /tmp/myblobfile of asc method L (1 780) insert into......
DB2 Database
0
5203
How to Update Blob with JDBC?
by: Nesa | last post by:
Hi, I am accessing DB2 8.2 (Windows) via JDBC type 4 and am having troubles making Blob.setBinaryStream(long) work to update a BLOB column. Here is the excerpt of code that I am using: Connection conn = ds.getConnection(); conn.setAutoCommit(false); // insert a file FileInputStream fis = new FileInputStream(fileName);
DB2 Database
2
5044
blob insert returns null in query
by: wizardry | last post by:
hello - i'm trying to insert a blob into my table, it will insert but the string that i insert when i query the inserted data returns null with 0 bytes in the column. I have other tables set up this way and i'm able to insert text data into it with no problems. I've checked the database design its basiclly a duplicate. I did have to remove my not null on the long blob element. but other then that, i don't understand why this is...
MySQL Database
0
9171
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
9032
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
8905
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8880
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
1
6532
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5869
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4625
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3053
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
3
2008
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us