0

I'am working on a SQL engine and to prevent sql injection i have used sql parameters.

But on the other hand I refer the tablename from the methodparameter

it look's like this for a simple example:

public void dosomething(string tablename)
{
string query = "select productname, price from " + tablename;

...

}

Now my question: is this unsecure?

Artur Karaev
  • 41
  • 1
  • 10
  • A table name cannot pass with sql parameters. Your sample is insecure if multiple statement is able to run, imagine `tablename = "item; Drop table item"` – Eric May 26 '15 at 09:41
  • It's safe if you have control of the table name. It would be very dangerous if you expect the user to supply the name without some very thorough sanitisation –  May 26 '15 at 09:42
  • could you give a sample how to secure this function? – Artur Karaev May 26 '15 at 09:44
  • See http://stackoverflow.com/a/17947836/1287352 – Eric May 26 '15 at 09:55

2 Answers2

0

You could check this yourself, what would happen if you ran this like so:

dosomething("Product;DROP TABLE Product;--")

Which assumes a table of product. Particularly going to be a problem if your tablename parameter is coming from user input.

Paddy
  • 33,309
  • 15
  • 79
  • 114
0

It is definitely unsecure if user is supplying the tablename. As best practice ,instead of constructing the statements , they can be mapped or selected based on user inputs via ifs-case etc over predefined strings in your code. This will eliminate basic sql injection attacks like Eric said .

Also ,one more layer can be introduced via OOPS tricks so that DDL,DML and DCL are clearly separated in your query engine so that even the rare sql injection attacks are eliminated.

mrsachindixit
  • 84
  • 4
  • It's not 'definitely insecure'. It's only a problem if the OP is allowing a user to supply the tablename directly. If the tablename is being supplied by the software without user input there's no problem here at all. –  May 27 '15 at 04:40