11

I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well I'm using them but I want to be sure my code is safe, is it?

        using ( SqlConnection dataConnection = new SqlConnection(myConnectionString) )
        {
            using ( SqlCommand dataCommand = dataConnection.CreateCommand() )
            {
                dataCommand.CommandText = "INSERT INTO Lines (Name, CreationTime) " +
                    "VALUES (@LineName, @CurrentDateTime)";

                dataCommand.Parameters.AddWithValue("@LineName", TextBox2.Text);
                dataCommand.Parameters.AddWithValue("@CurrentDateTime", DateTime.Now.ToString());
                dataConnection.Open();
                //do other DB stuff

I chop the last part to make the post shorter, the rest is just trying and catching exceptions and closing db connection as well as providing user feedback on inserting successful.

Improve this question
1
  • If the CreationTime column is of type DateTime, you don't need the .ToString() cast. Commented Mar 15, 2011 at 18:41

3 Answers 3

Reset to default
12

Your code is fine, it is protected from injection because the values are passed as parameters not string literals. However, if you are writing this type of data access yourself, have you considered creating SqlParameter objects and explicitly setting the type, size etc, and adding the parameters to the command? AddWithValue will work just fine, but SQL Server will have to determine the type, a little, but unnecessary overhead.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I had, but I didnt knew that it will be a little better in the perfomance part if I did, guess I will be doing that now. U think that is still necessary to use the RegExp validator?
A Regex Validator for the user input that will be passed as parameters?
1

Well, you could always try to inject a SQL statement into the textbox, that will probably give you a quicker, definite answer.

Improve this answer

Comments

1

Yes, that's reasonably safe. So long as you don't use "sanitized" variables from a prepared statement to generate dynamic sql later, you're usually ok. The fact that you're using a prepared statement will take care of dealing with escape characters and other simple methods of injection.

I wouldn't forgo any other validation though...

Improve this answer

2 Comments

Like what? besides checking for empty fields, should I check for anything else?
What kind of input do you expect to receive? Check for anything that doesn't make sense. I'm a big fan of client side AND server side validation THEN using parameterized/prepared statements. If nothing else I'd like to see when people are trying to give me garbage, even if it's unlikely they'll be successful.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.