-2

I have many windows services which runs on server side only. It performs few CRUD operations on database(MySQL).

There is a client application which allow user to upload files through it to the server. When the file gets uploaded to server, Window Service performs required operations on this file and update the details in Database through SQL queries.

Client App(Desktop App) -> File -> Upload on Server -> Window Service Process File -> Database Entry

I was wondering if such kind of architecture really requires parameterized query to prevent SQL injection?

Arpit Gupta
  • 1,209
  • 1
  • 22
  • 39
  • 8
    The answer to your question is "yes", any other points mentioned are completely irrelevant - there is no excuse to not do things properly and safely. – DavidG Mar 25 '19 at 17:52
  • 1
    If the database code in the service does not perform parameterization on the user data then malformed or malicious user data can lead to SQL Injection, hence the need for parameterization. Why did you think this might not be the case? – Alex K. Mar 25 '19 at 17:52
  • 1
    Consider that using parameterized queries you get, not only sql injection protection but you allow the db engine to optimize its query plan. In any case, to answer we need to know what kind of operations do you perform on the service. – Steve Mar 25 '19 at 17:53
  • @AlexK. I have many non-parameterized query in my project. In new security standard, I need to make them all parameterized. This came in my mind because generally web apps are more open for SQL injections. In my case database operation was not directly happening by the client application. Hence i got confused. – Arpit Gupta Mar 25 '19 at 18:01
  • @ArpitGupta: you have to keep in mind, that if some other system stores a "dangerous value" (like ... Drop table ...) to the datebase, because it used parametrized queries and your service reads that value and uses it to create a query, then your service executes the sql injection. – Volkmar Rigo Mar 25 '19 at 19:16

1 Answers1

0

Working with parameterized queries does not only prevent sql injection but gives you other advantages as well (ex: Query Plan Reuse).

If you do CRUD Operations, then you can use an ORM (like EF) or a MicroORM (like Dapper) to simplify the creation of the parameterized statements.

Volkmar Rigo
  • 1,158
  • 18
  • 32
  • Is it advisable to use Entity Framework with MySQL? As I have tried it previously, It requires a lot of efforts to establish Entity Framework setup with MySQL. – Arpit Gupta Mar 25 '19 at 18:06
  • EF.Core should work with MySql. But I've never tried it. You could give Dapper a try. Dapper does not generate SQL, but helps you with assigning parameter values and converting results to objects. – Volkmar Rigo Mar 25 '19 at 19:05