1

Basic question. If I have a form that asks a user for their name, email, and comments, and I store the entries in the database... What happens if someone types in a SQL query such as:

DROP tablename

in the comments section.

@Name,
@Email,
@Comments

INSERT INTO mytable (Name, Email, Comments) VALUES (@Name, @Email, @Comments)

Is there any risk of SQL injection or am I perfectly safe?

SQL Server 2008 Stored Procedure to handle insert.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
user1447679
  • 3,076
  • 7
  • 32
  • 69
  • It's called SQL injection. You can avoid it by validating and binding input. Don't just pass input values from forms into the back end. – duffymo Jul 17 '13 at 02:11

3 Answers3

5

Yes, you are safe.

SQL injection works by changing the syntax of an SQL query by interpolating malicious input.

But one query parameter always substitutes for one scalar value. There's no way any malicious input can change the syntax of the query if you use parameters.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
0

You can use parameter object. It can restrict the SQL Injection. Don't use inline SQL. If you use SQL inline, check single quote("'") within the parameter.

zanhtet
  • 2,040
  • 7
  • 33
  • 58
0

Short answer to your question is – you are safe if you use parameters.

(comments below are a bit outside of the scope of your original question but I strongly recommend you take some time to learn more on this topic)

However this doesn’t mean you shouldn’t validate user input in any way. Even though you are safe from SQL injection failing to validate user input may lead to making your data dirty with just about anything people will insert.

Also, make sure you are using account with least privileges to improve security even more.

Here is a good article on this topic from MSDN.

Kenneth Hampton
  • 685
  • 6
  • 7