-1

Make method to generate SQL query (Insert, Updated, Select, and Delete) but read about SQL injection

Is it important to prevent injection while my application is run on local PC and without share database and user can find database file and open it.

Why need to prevent my Query from injection? 

class Cls_SQLGen
{
    public static void SQLInsert(string TableName, string[,] ColNameValues)
    {
        string Query = "Insert into " + TableName + " ( ";
        #region Build query for insert            
        for (int i = 0; i < ColNameValues.GetLength(0); i++)
        {
            string ColNames;
            if (i == ColNameValues.GetLength(0) - 1)
            {
                ColNames = ColNameValues[i, 0] + " ) ";
            }
            else
            {
                ColNames = ColNameValues[i, 0] + ", ";
            }
            Query += ColNames;
        }


        Query += "Values (";

        for (int i = 0; i < ColNameValues.GetLength(0); i++)
        {
            string ParamName;
            if (i == ColNameValues.GetLength(0) - 1)
            {
                ParamName = " @" + ColNameValues[i, 0] + ")";
            }
            else
            {
                ParamName = " @" + ColNameValues[i, 0] + ",";
            }
            Query += ParamName;
        }
        #endregion
        DAL.SQLiteAccessLayes.ExcuteCommand(Query, ColNameValues);
    }
}
Hasan Yusuf
  • 33
  • 3

1 Answers1

0

Is it important to prevent injection while my application is run on local PC and without share database and user can find database file and open it.

For security, no. A malicious can damage the data on their own computer all they want.

For reliability, yes. If the user enters text that contains a ' in a string, your application will break if you don't prevent injection.

Imagine the user enters O'Hare as a last name. An unprotected query might write this SQL: INSERT INTO [PERSON] ([Firstname], [Lastname]) VALUES ('JOHN', 'O'HARE');

This would be invalid SQL and your application would error.

However, the code you pasted isn't enough to tell if it is vulnerable to injection. It depends on where you get the values you are concatenating as to whether or not it is a problem. It looks like you are attempting to parameterize your query which would be sufficient-- but I'm having trouble figuring out exactly what you trying to do with with that code.

Tim
  • 5,940
  • 1
  • 12
  • 18
  • but I'm having trouble figuring out exactly what you trying to do with with that code use it to insert data for small point of sale software and thanks for your respond – Hasan Yusuf Jun 08 '19 at 02:07