0

I'm writing a WinForms application in C# with the purpose of selecting from views with aggregated data on an SQL server. The point is to generate charts from the views using the System.Windows.Forms.DataVisualization.Charting namespace.

As of now, I select the view names in the relevant db and list them to the user, prompting them to choose one and then specify what columns should go on what axis. My problem is formulating a query to select the appropriate view. The application will only be used internally so to be fair, injection vulnerabilities aren't THAT big of an issue, however I don't really want to dynamically build the query strings since I understand it's a very crappy way of doing things.

I looked into parameterized queries and stored procedures but they won't allow you to parameterize the table name (for good reasons from what I can tell). This leaves me with a dilemma. I guess I could make stored procedures for all views but that seems like a clumsy solution. Is there a better way? Should I rework the whole idea?

sara
  • 3,521
  • 14
  • 34
  • This is why we have Entity Framework and LINQ available to us. – jfrankcarr Jul 26 '13 at 10:23
  • @jfrankcarr I have not used LINQ in C# yet, but a quick glance makes me think It's just what I need. Will look into it more and return! – sara Jul 26 '13 at 11:21

1 Answers1

0

You could do it by creating the SQL statement in your code or you could create a stored procedure where you can pass the name of the view and a list of columns to be selected. Of the two methods I would prefer the second one. Other than these, right now I cannot think of any other way of doing it. However you could do some additional things to prevent injection:

  • Thorough validation of the input.

  • Create a new user and give this user the least amount of privileges. Just the SELECT privilege on the views. Use this user to talk with the database.

unlimit
  • 3,672
  • 2
  • 26
  • 34
  • There is a user intended for this application (among other things) which only has read access and only to a few relevant dbs. The app lets you format the connection string yourself via a loginform though, so the application can theoretically have a SqlConnection running with write/execute rights. It's still an internal application though, so again, security issues aren't THAT big a deal, it's more the fact that I want to write as solid an application as possible. – sara Jul 26 '13 at 11:10