-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSqlInjection.cs
More file actions
102 lines (91 loc) · 3.93 KB
/
SqlInjection.cs
File metadata and controls
102 lines (91 loc) · 3.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
using System;
namespace System.Web.UI.WebControls
{
public class TextBox { public string Text { get; set; } }
}
namespace Test
{
using System.Data;
using System.Data.Entity;
using System.Data.SqlClient;
using System.Web.UI.WebControls;
public class EntityFrameworkContext : DbContext
{
public EntityFrameworkContext()
{
}
}
class SqlInjection
{
TextBox categoryTextBox;
string connectionString;
public void GetDataSetByCategory()
{
// BAD: the category might have SQL special characters in it
using (var connection = new SqlConnection(connectionString))
{
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ categoryTextBox.Text + "' ORDER BY PRICE";
var adapter = new SqlDataAdapter(query1, connection);
var result = new DataSet();
adapter.Fill(result);
}
// GOOD: use parameters with stored procedures
using (var connection = new SqlConnection(connectionString))
{
var adapter = new SqlDataAdapter("ItemsStoredProcedure", connection);
adapter.SelectCommand.CommandType = CommandType.StoredProcedure;
var parameter = new SqlParameter("category", categoryTextBox.Text);
adapter.SelectCommand.Parameters.Add(parameter);
var result = new DataSet();
adapter.Fill(result);
}
// GOOD: use parameters with dynamic SQL
using (var connection = new SqlConnection(connectionString))
{
var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY="
+ "@category ORDER BY PRICE";
var adapter = new SqlDataAdapter(query2, connection);
var parameter = new SqlParameter("category", categoryTextBox.Text);
adapter.SelectCommand.Parameters.Add(parameter);
var result = new DataSet();
adapter.Fill(result);
}
using (var connection = new SqlConnection(connectionString))
{
using (var context = new EntityFrameworkContext())
{
// BAD: Use EntityFramework direct Sql execution methods
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ categoryTextBox.Text + "' ORDER BY PRICE";
context.Database.ExecuteSqlCommand(query1);
context.Database.SqlQuery<string>(query1);
// GOOD: Use EntityFramework direct Sql execution methods with parameter
var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY="
+ "@p0 ORDER BY PRICE";
context.Database.ExecuteSqlCommand(query2, categoryTextBox.Text);
}
}
// BAD: Text from a local textbox
using (var connection = new SqlConnection(connectionString))
{
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ box1.Text + "' ORDER BY PRICE";
var adapter = new SqlDataAdapter(query1, connection);
var result = new DataSet();
adapter.Fill(result);
}
// BAD: Text from a local textbox
using (var connection = new SqlConnection(connectionString))
{
var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ box1.Text + "' ORDER BY PRICE";
var cmd = new SqlCommand(queryString);
var adapter = new SqlDataAdapter(cmd);
var result = new DataSet();
adapter.Fill(result);
}
}
System.Windows.Forms.TextBox box1;
}
}