0

If I change my select from

String insSQL2
    = "select * from Produtos where nome = '" + txtBuscaNome.Text + "'"

To

String insSQL2
    = "select * from Produtos where nome = ''" + txtBuscaNome.Text + "''"

Will it prevent sql injection?

Grant Winney
  • 65,241
  • 13
  • 115
  • 165
Aman
  • 582
  • 2
  • 12
  • 29

2 Answers2

4

No.

SQL injection isn't about creatively using quote characters. It's about treating input as data instead of as code. Take a look at a classic SQL injection vulnerability:

"SELECT * FROM Users WHERE Id = " + someValue;

It may intuitively look like you're using someValue as a data value, but you're actually using it as actual SQL code. The SQL engine doesn't see this as a value parameter, it sees it as part of the command being executed. That code should just be a value, but it can be anything. And you'd be executing whatever code is supplied.

Thinking of it in this way, it becomes clear that you should never execute user-supplied code in your application.

The alternative is to treat the user input as values in pre-defined code. That way you control the complete scope of the code and users are only supplying values. Which would look more like this:

"SELECT * FROM Users WHERE Id = @id";

Now the SQL engine sees that parameter (@id) and expects you to supply a value for that parameter. In ADO.NET it might look something like:

someCommand.Parameters.AddWithValue("@id", someValue);

Now the SQL engine knows that this is a data value and not code, so it treats it as data instead of executing it.

David
  • 208,112
  • 36
  • 198
  • 279
  • Ok, now I got it, but using parameter how I send this to a datagridview because I could't use my codeSQLiteDataAdapter da = new SQLiteDataAdapter(cmd); DataSet ds = new DataSet(); try { da.Fill(ds); DataTable dt = ds.Tables[0]; this.grid_userlist.DataSource = dt; } – Aman Jan 20 '14 at 02:49
  • @Aman: Why does that code prevent you from using `SqlParameter`s in the `SqlCommand`? All you're doing there is filling a `DataSet` from a `DataAdapter`. It still relies on a command, that command is where you use parameters instead of string concatenation. – David Jan 20 '14 at 02:50
  • Using the parameter I cant use the dataAdapter fill to send the data to the dataset and them send it to the dataTable so I can display it in a dataGridView – Aman Jan 20 '14 at 02:54
  • @Aman: I'm pretty sure you can use parameterized queries with a `DataAdapter`. It has nothing to do with a `DataGridView`, SQL injection happens at the database integration point, not in the UI. If you're trying to use some specific code and receiving a specific error or it's not working in some specific way, that would be worth a new Stack Overflow question. Just saying "I can't do it" isn't really a problem description anybody can help with... – David Jan 20 '14 at 02:57
  • Ok @David, I cant speak english very well and some times it is hard for me to explain wat is happening, I will trie to formulate a new question. Thank you. – Aman Jan 20 '14 at 03:27
  • Ok @David . It is working now, I used a SqliteDataReader to receive te query them sen it to the datagrid view. SQLiteDataReader readerProduto = sql_cmd.ExecuteReader(); dataTable.Load(readerProduto); dataGridViewProdutos.DataSource = dataTable; – Aman Jan 20 '14 at 14:32
2

No, it won't prevent sql injection.

Use parameterized sql:

var insSQL2 = "select * from Produtos where nome = @nome";
var connection = new SqlConnection(/* connection info */);
var command = new SqlCommand(insSQL2, connection);
command.Parameters.AddWithValue("@nome", txtBuscaNome.Text);
Aaron Palmer
  • 8,912
  • 9
  • 48
  • 77