4

In PetaPoco's home page there is a mention that PetaPoco's SQL Builder (Sql object) protects from SQL injection. But does Query(string query, parameters) method protect from SQL injection?

SQL Builder is safe:

var id = 123;
var a = db.Query<article>(PetaPoco.Sql.Builder
  .Append("SELECT * FROM articles")
  .Append("WHERE article_id=@0", id)
);

But is it safe with string query where parameters are passed like this?

var id = 123;
var a = db.Query<article>("SELECT * FROM articles WHERE article_id=@0", id);
Lassi Autio
  • 1,147
  • 1
  • 13
  • 35
  • 4
    Yes, if you try to start to look at PetaPoco's source code on github. It is after all using SqlParameter. https://github.com/CollaboratingPlatypus/PetaPoco/blob/development/PetaPoco/Database.cs#L952 – ngeksyo Jul 04 '17 at 13:35

1 Answers1

5

Yes it does protect against SQL injection.

You can verify this, if you aren't sure, by running a SQL Trace on the SQL being executed. Or provide some inputs with a single and a double quote in it (against a nvarchar column) and see whether a runtime exception occurs (which would occur if SQL injection was a problem).

See also https://github.com/CollaboratingPlatypus/PetaPoco/issues/326#issuecomment-238538854 :

this is the correct behaviour. The SQL and parameters are passed to the DB Command to prevent injection based attacks. The connected DB will put the SQL and parameters together in a safe manner

mjwills
  • 23,389
  • 6
  • 40
  • 63