0

I am fairly new to SQL but have been using it throughout my application for a while now. The way I am executing statements does not seem to be the most viable option since it can present issues for the likes of SQL injections etc.

This is an example of a chunk of code in my application which demonstrates how I am currently using SQL.

        //Select all active devices.
        string ActiveUsers = "SELECT * FROM Devices WHERE Status='" + "Online" + "'";
        SqlCommand cmd = new SqlCommand(ActiveUsers, con);
        SqlDataAdapter sda = new SqlDataAdapter(cmd);
        DataSet ds = new DataSet();
        sda.Fill(ds);
        con.Close();

Would you please be able to advice me on how to modify this code so that its more secure and reserves less risks?

Many thanks.

Joseph Michael
  • 77
  • 8
  • https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlcommand.prepare?view=dotnet-plat-ext-5.0#System_Data_SqlClient_SqlCommand_Prepare – Theraot Mar 24 '21 at 23:30
  • 4
    Does this answer your question? [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) – Hayden Mar 24 '21 at 23:32
  • Any course or tutorial that teaches how to query or execute SQL statements without teaching prepared statements needs to die in a fiery pit. – Theraot Mar 24 '21 at 23:33
  • I assume where you have `"Online"` is where you would normally put the user input? Because that code actually isn't vulnerable to sql injection. – Crowcoder Mar 24 '21 at 23:49
  • @Theraot but then we'd have the OWASP top 9, and that just doesn't have the same ring to it. – Crowcoder Mar 24 '21 at 23:50
  • @Crowcoder A developer needs to use a database, gets a tutorial, and start writing code. Nobody told the developer to see OWASP, the code was deployed with vulnerabilities and they didn't even know what OWASP was. Why? Because the tutorial, which is the thing the developer who wants to learn how to use a database will search, was good enough to make something that works, but not good enough to make it secure… Well, all such tutorials should cease to exist. I do not expect database tutorials to tell about OWASP (and who says databases are for web only). But I expect prepared statements. – Theraot Mar 25 '21 at 00:23
  • @Theraot I don't think you got the joke. – Crowcoder Mar 25 '21 at 00:27
  • @Crowcoder looking for joke… You meant OWAPS top 10? There is an OWASP top 9: https://www.linuxsecrets.com/owasp-wiki/index.php/The_Owasp_Code_Review_Top_9.html – Theraot Mar 25 '21 at 00:30
  • @Theraot no I didn't mean OWAPS, I meant OWASP and I'm sorry you took offense, I'm going to go repent now, even though I know it can never make up for how I've wronged you. – Crowcoder Mar 25 '21 at 00:37

0 Answers0