开发者

Is TableAdapter/DataSet safe from SQL injection?

In my ASP.NET(3.5) project, I am using inbuilt TableAdapters/Dataset for all Data Access. Does it provide the same security as SQLDataSource does from SQL injection? I am using parameters as follows.

Dim myDAL As New ABCTableAdapters.XYZTableAdapter
Label1.Text = myDAL.getDatafromDB(myParameter)

Update 1:

     Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            Dim myParameter As String = getSafeURL(Request.QueryString("MS_Code")) 'getsafeurl encodes querystring using HttpUtility.UrlEncode
            Dim myDAL As New ABCTableAdapters.XYZTableAdapter
            Label1.Text = myDAL.getDatafromDB(myParameter)
     End Sub

getDatafromDB corresponds to following query present in app_code/DAL.xsd

SELECT something FROM sometable where fieldname = @parameter

Update 2: If I 'View Code' of XSD I am able to see following

<SelectCommand>
              <DbCommand CommandType="Text" ModifiedByUser="true">
                <CommandText>SELECT pageContent FROM [content] where name = @name</CommandText>
                <Parameters>
                  <Parameter AllowDbNull="true" AutogeneratedName="name" ColumnName="name" DataSourceName="iseac.dbo.[content]" DataTypeServer="nchar(100)" DbType="String" Direction="Input" ParameterName="@name" Precision="0" ProviderType="NChar" Scale="0" Size="100" SourceColumn="name" SourceColumnNullMapping="false" SourceVersion="Current" />
                </Par开发者_运维问答ameters>
              </DbCommand>
            </SelectCommand>


It depends.

You could get SQL injection if you badly use tableAdapters.

The main thing is to use SqlParameters for all data that is gathered from users.

Can you show some of your data access code ?

Look up here How To: Protect From SQL Injection in ASP.NET

using System.Data;
using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))
{
   DataSet userDataset = new DataSet();
   SqlDataAdapter myDataAdapter = new SqlDataAdapter(
   "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", 
     connection);                
   myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
   myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
   myDataAdapter.Fill(userDataset);
}

The important part here is that user entered data (what comes in from web request) is passed to DB inside database parameters like @au_id. In that case you are protected from SQL injection.

BAD WAY would be this (DON'T USE THIS):

myCommandText = string.Format(
   "SELECT au_lname, au_fname 
    FROM Authors WHERE au_id = {0}", SSN.Text)

This way user can manipulate what is send to DB and if your connection to DB has enough privileges it can drop tables or database. Or it can silently modify your data and that is even worse.

So, always use database parameters.

Additionally if you do you gain in performance, because DB will cache execution plan and if you later execute same SQL with only different values for parameters, DB already have execution plan and it doesn't need to parse sql again.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜