0

How to restrict this below command text with SQL injection: 

cmdExcel.CommandText = "SELECT * From [" + sheetName + "]";

Any help would be appreciated. Thanks!

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Shanmugam S
  • 11
  • 2
  • 2
    Use parameters instead of building your own string. – Loocid Nov 25 '19 at 05:32
  • You can't use query parameters for a table name. A better duplicate question with answers is: [Sanitize table/column name in Dynamic SQL in .NET? (Prevent SQL injection attacks)](https://stackoverflow.com/questions/9651582/) – Bill Karwin Nov 25 '19 at 16:13

3 Answers3

0

Since you know that you are intressted of table name, then you know that i should not containe any space.

So if you make sure of that then even if someone tried to add more sql then it will only be an error.

So here is how you could do it.

cmdExcel.CommandText = "SELECT * From [" + sheetName.Replace(" ", "") + "]";
Alen.Toma
  • 4,684
  • 2
  • 14
  • 31
  • "Table names can contain any valid characters (for example, spaces)." [reference](https://learn.microsoft.com/en-us/sql/odbc/microsoft/table-name-limitations?view=sql-server-ver15) [another reference](https://learn.microsoft.com/en-us/sql/relational-databases/databases/database-identifiers?view=sql-server-ver15) – Bill Karwin Nov 25 '19 at 16:15
0

use ToSqlStrValue("") to protect SQL injection.

for example:

str sql="Select * from Customers where username="+ToSqlStrValue(username);

    /// <summary>
    /// This is to prevent potential SQL worms because of SQL assembling.
    /// </summary>
    /// <param name="str"></param>
    /// <returns></returns>
    public static String FilterInvalidSqlChars(String str)
    {
        if(str==null || str=="")
            return str;
        String[] badChars = { "\'" };
        str = str.Replace(badChars[0], "\'\'");
        return str;
    }

    /// <summary>
    /// This function adds "'" to the begin and end of a string value so that it
    /// can be used in a SQL statement directly by + operation. It also filters the 
    /// invalid SQL characters, such as "that's ok" to --> "'That''s ok'"
    /// Note all strings are unicode strings. if strValue is null, it returns a string "null".
    /// </summary>
    public static String ToSqlStrValue(String strValue)
    {
        if(strValue==null)
            return "null";
        else 
            return "N\'" + FilterInvalidSqlChars(strValue) + '\'';

    }
Sean
  • 1,806
  • 1
  • 13
  • 15
0

I am guessing cmdExcel is type of SqlCommand. It allows us to add parameters.

see sample below:

string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
        + "WHERE CustomerID = @ID;";

    SqlConnection connection = new SqlConnection(connectionString)
        SqlCommand command = new SqlCommand(commandText, connection);
        command.Parameters.Add("@ID", SqlDbType.Int);
        command.Parameters["@ID"].Value = customerID;


        command.Parameters.AddWithValue("@demographics", demoXml);
aspxsushil
  • 514
  • 1
  • 5
  • 16