0

If I need to insert data into a table, using SqlParameter is a best choice. But I heard someone said that SqlParameter still has some defects in SQL injection. The proof is contacting a sql string and running exec command. In this case ,there are still some risks in SQL injection.

But my question is that if I use the SqlParameter only to insert data into table without exec command, do I still have the risks in SQL injection?

roast_soul
  • 3,554
  • 7
  • 36
  • 73
  • 1
    You can have some information in this topic. The question seems to be the same : http://stackoverflow.com/questions/306668/are-parameters-really-enough-to-prevent-sql-injections – Adrien.C Jun 27 '13 at 07:02
  • how about you share the code and I'll try to inject some SQL to it – No Idea For Name Jun 27 '13 at 07:05

2 Answers2

1

The problem with the exec example is you are running two queries. The first query builds a 2nd sql string using concationation, then the 2nd query is executed.

As long as you keep your command and your data channels separate (keeping the query that will be performed independent of the the value of the variables the query will run against) you can not have SQL Injection (as the definition of SQL Injection is using the data channel to slip something in to the command channel)

Scott Chamberlain
  • 124,994
  • 33
  • 282
  • 431
1

Yes, as long as you can use a parameter for the every statement added to a query dynamically.
Too bad, most frameworks doesn't allow you so, but for a few simple datatypes only.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345