2

Take this code as an example:

IAmazonSimpleDB client = new AmazonSimpleDBClient(Amazon.RegionEndpoint.USEast1);
        SelectResponse response = client.Select(new SelectRequest() { 
SelectExpression = "SELECT * FROM `foo` where FooID = '" + id + "'" });

I can rewrite it as such:

IAmazonSimpleDB client = new AmazonSimpleDBClient(Amazon.RegionEndpoint.USEast1);
        SelectResponse response = client.Select(new SelectRequest() { 
SelectExpression = "SELECT * FROM `foo` where FooID = '{0}'", id });

But from my understanding, that still leaves it vulnerable to injection right?

Is there anything else I can do here? We aren't using SQL so I can't do SQL Parameters.

Tetsuya Yamamoto
  • 24,297
  • 8
  • 39
  • 61
mdrussell0779
  • 81
  • 1
  • 9
  • have you tried a google search or stackoverflow search on how to construct paramerized query's properly to prevent sql injection, also I would recommend doing all your `SQL CRUD Functions` on the DB side by creating Stored Procs – MethodMan Dec 18 '18 at 20:04
  • The best you can do is to whitelist the parameters you can use, which means you don't use any parameters that come from untrusted sources in untrusted formats. For instance, is `id` in your question an integer? If so then at most an incorrect id can be added, but no query text.. – Lasse V. Karlsen Dec 18 '18 at 20:10
  • 4
    @MethodMan All well and good, **if** the database provided such means. This is amazons **simple** database, and it doesn't seem to provide any of that, all you get is a query text. I think a better advice is that if you're going to use parameters from untrusted sources, don't use SimpleDB. – Lasse V. Karlsen Dec 18 '18 at 20:10

1 Answers1

0

I usually do a check to see if the id is an integer. That way you will get an exception or a Boolean value if it isn't an int. It will work fine unless you are using GUID values.

var isNumeric = int.TryParse("123", out int n); //Will give a bool

Int32.Parse(yourString); //This will give an exception if it is not an possible integer

If it's anything more than that then you could use a Regex expression to look for strange values and remove characters that shouldn't be there such as spaces. Most SQL injection attacks wont work if there's no spaces... I think. Removing all the spaces is pretty easy and I would assume your ID (even if it is complex) won't include spaces.

string s = " "
string t = s.Replace(" ", ""). //It will be hard to do a sql attack if the spaces are removed.

A little off topic but with C# 6.0 you can format string differentlyl; It's a new feature called "string interpolation" (thanks Etienne de Martel).

$"SELECT * FROM `foo` where FooID = '{id}'"
Christopher Vickers
  • 1,773
  • 1
  • 14
  • 18