downhillty
Please Help Prevent SQL injection
Hmmmm, not really an option. It would piss lots of people off!
My horrible plan at the moment, is to load the list of valid columns (including dynamic ones)
Try and find them individually in the string.
Split the string into these known columns and values.
37 replies
Please Help Prevent SQL injection
Ok.
This is an example of the filter we receive, as a string. Not individual parameters.
tbl_coll.filter = "name = 'john' and title = 'MR' and (select top 1 group_id from groups where type = 1 and region = 'AUD') = 5"
This only applies to the where clause. Everything else is parameterize as you have suggested.
The Columns, Table, joins etc cannot be changed by the developer.
tbl_coll.filter is effectively our where clause. PHP developers call this API to read and write from the database. -- C# was many times faster at this. Lots of code has been written by a lot of PHP devs. If we have to parameterize, we can do it, I think it will just require them to do a lot of rework. If possible, it would be great if this C# API could continue to accept the string we already receive and then validate the columns and ensure it is safe.
tbl_coll.filter is effectively our where clause. PHP developers call this API to read and write from the database. -- C# was many times faster at this. Lots of code has been written by a lot of PHP devs. If we have to parameterize, we can do it, I think it will just require them to do a lot of rework. If possible, it would be great if this C# API could continue to accept the string we already receive and then validate the columns and ensure it is safe.
37 replies