How do I prevent MySQL Database Injection Attacks using vb.net?

Question

I am using vb.net in Visual Basic 2010 and using Query to edit my Online MySQL Database from the application (WinForms).

Here is a sample to insert a new user into the database:

MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
READER = COMMAND.ExecuteReader
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()

How to Prevent MySQL Database Injection Attacks?

--------------------------------------------------------------------------------

Is this Parameterized way also ideal for these sets of code?

Set 1:

Dim SQLReq As String = "UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
submitRequest(SQLReq)

Set 2

MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member='" & My.Settings.username & "'"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()

Set 3

MySQLCon.Open()
Dim Query As String
Query = "SELECT member FROM members"
command = New MySqlCommand(Query, MySQLCon)
SDA.SelectCommand = command
SDA.Fill(dbDataSet)
bSource.DataSource = dbDataSet
vagueMembers.DataSource = bSource
SDA.Update(dbDataSet)
MySQLCon.Close()
MySQLCon.Dispose()

---

This is an edit for @Fred

Set 1 is now:

MySQLCon.Open()
Dim SQLADD As String = "UPDATE members SET req= @request WHERE member= @memberName"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@request", request)
COMMAND.Parameters.AddWithValue("@memberName", My.Settings.username)
COMMAND.ExecuteNonQuery()
MySQLCon.Close()
MySQLCon.Dispose()

Set 2 is now:

MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member= @member"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
COMMAND.Parameters.AddWithValue("@member", My.Settings.username)
COMMAND.ExecuteNonQuery()
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()

Set 3 is now:

Same as usual cause you said it should be fine.

Are these correct? Protected from Injections?

Answer 1

MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@memberToAdd, @memberGamingTag, @memberRole)"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text)  
COMMAND.Parameters.AddWithValue("@memberGamingTag", membersGamertag.Text)  
COMMAND.Parameters.AddWithValue("@memberRole", membersRole.Text)  
COMMAND.ExecuteNonQuery()
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()

You don't need to use COMMAND.ExecuteReader as you are not retrieving data.

You should never build your queries like this:

UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"

It is vunerable to SQL Injection, you should parameterize your queries as I have in the example above. This applies to any query be it INSERT, UPDATE, SELECT

Answer 2

Instead of concatenating your SQL statement like this:

Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"

You specify each parameter using an @ prefix like this without any quotes:

Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@member, @gamertag, @role)"

Then you specify the values for each parameter like this using the correct variable type for the data type in your database:

command.Parameters.AddWithValue("@member", member)
command.Parameters.AddWithValue("@gamertag", gamertag)
command.Parameters.AddWithValue("@role", role)

Your example edit is not a parameterised query. You should never concatenate your SQL string with variables.

Answer 3

You should put the insert query at the Stored Procedure.

conn.Open();
                    cmd.Connection = conn;

                    cmd.CommandText = "add_mem";
                    cmd.CommandType = CommandType.StoredProcedure;

                    cmd.Parameters.AddWithValue("@member", "Jones");
                    cmd.Parameters["@lname"].Direction = ParameterDirection.Input;

                    cmd.Parameters.AddWithValue("@gamertag", "Tom");
                    cmd.Parameters["@fname"].Direction = ParameterDirection.Input;

                    cmd.Parameters.AddWithValue("@role", "1940-06-07");
                    cmd.Parameters["@bday"].Direction = ParameterDirection.Input;


                    cmd.Parameters["@empno"].Direction = ParameterDirection.Output;

                    cmd.ExecuteNonQuery();