0

I was told that if using SqlCommand in C# and if you were to add parameters to that command, that it will add security since it will protect against Sql Injection. I was wondering if this is in fact true. If so, how can it stop Sql Injection because it is my understanding that when using parameters, it just inserts a string at a point in the Sql command. So that string could be anything, making Sql Injection possible, correct?

Eric R.
  • 1,105
  • 3
  • 21
  • 48

1 Answers1

3

It is not a simple replace. The framework will escape send the values, (especially strings), [as a separate part of the RPC call] so that it is impossible for a value to be executed as code.

Thanks to @PanagiotisKanavos for the correction (6 years later).

harpo
  • 41,820
  • 13
  • 96
  • 131
  • Ok, so the framework will remove numbers or anything inside of tick marks ''? – Eric R. Oct 29 '11 at 21:48
  • No, it will include the tick marks as part of the query. So if your field is a number and there is something like this. ' + 0=0', that whole thing will be the parameter and the query will error as opposed to the injection intention which was to modify the query. An error is what you would want. – Valamas Oct 29 '11 at 21:51
  • 2
    No, it won't remove anything, it will just encode it so it can be stored in database as it's written. SqlParameter also takes care about type of data which matching column stores and encodes it appropriately, as well as checking bound conditions like if string will fit into column holding VARCHAR(n). – Nikola Radosavljević Oct 29 '11 at 21:52
  • 1
    The framework doesn't escape, convert or encode anything. The parameter values are sent as separate fields in the RPC call. They are never part of the query string, never even converted to strings, which is why they can't be executed – Panagiotis Kanavos Nov 03 '17 at 11:24
  • Thanks, @PanagiotisKanavos, answer updated. I did not know that at the time. – harpo Nov 12 '17 at 16:07