Is there any sense in worrying about SQL injection in a Winforms project?

In SO and elsewhere it's nearly impossible to post long concatenated SQL instructions in sample code without someone politely pointing out that it's better to use parameterized input and stored procedures.

Recent example here.

But is it meaningful to worry about 开发者_开发百科SQL injection in a Winforms project?

Is there some reason not to write safe database code? I don't think so.

Everyone should get into the habit of executing SQL safely, so you won't even have to think about it when you write public apps.

Also consider that a lot of code that's intended to be private will end up becoming accessible publicly months or years later. For example, "hey this intranet app for inventory reporting is useful, why don't we upload it to our public website for our business partners to use?"

• Use parameters to separate unvalidated data from the SQL query.
• You can interpolate validated data into SQL queries. That is, if you have code to test that a variable can only be an integer (for example), then it's safe to treat it as an integer.
• For other dynamic parts of a query (table names, column names, expressions, etc.) you can't use query parameters. But you can map user input to hardcoded strings. E.g. if user enters 1, then sort by date column. If user enters 2 then sort by status column.
• Ignore programmers who say "just use stored procedures!" as though that has anything to do with defense against SQL injection. It doesn't.

Epic tale from real life: the Big Boss of the mid-western company came to take a look at project progress. Not sure how it happened, but somehow a new set of orders came down from the scheduling office for a customer never seen before. And went into production around the time the Boss came to have a look. His last name was O'Shaughnessy.

Using parameterized input is good for more than just avoiding SQL Injection.

Yes it is, for all the reasons you've seen on other projects.

Your user base may be smaller but the same dangers are there.