K
Koji Ishii
One thing I've been frustrated with ADO.NET was the lack of Escape()
function or parameterized query for RowFilter. "Escape() function" I mean a
function like Regex.Escape(), which makes a string as a literal string in
the expression.
I can write:
ds.RowFilter = "col1 = '" + value.Replace("'", "''") + "'";
or
ds.RowFilter = "col1 LIKE '" + value.Replace("'", "''").Replace("%",
"%%").Replace("_", "__") + "%'"
but this tends to be forgoten. Now that I saw some samples from WinFS and
they use similar embeded expression as string without Escape function nor
parameterized query.
I'm wondering if this was already discussed, since I believe this is a
pretty common issue. MS strongly discourage building expression like this
for SQL server to prevent SQL code injection attack. Well, DataSet maybe
safe since it's not as capable as SQL server, but we have similar model not
only in DataSet but also in XPath, XQuery, WinFS, etc., and we developers
must keep remember what are the escape characters for which. Developers have
to pay attention that what security risk it involves if injection happen.
Injection against WinFS sounds like pretty risky.
Wouldn't it be nice if every class that implements internal
compiler/interpreter has at least Escape() and Unescape()? Parameterized
query is also fine with me, but that might not be as easy as Escape() and
Unescape() I guess.
Does anyone have any thoughts on this?
Thanks,
Koji Ishii
http://www.gluesoft.co.jp/en/
function or parameterized query for RowFilter. "Escape() function" I mean a
function like Regex.Escape(), which makes a string as a literal string in
the expression.
I can write:
ds.RowFilter = "col1 = '" + value.Replace("'", "''") + "'";
or
ds.RowFilter = "col1 LIKE '" + value.Replace("'", "''").Replace("%",
"%%").Replace("_", "__") + "%'"
but this tends to be forgoten. Now that I saw some samples from WinFS and
they use similar embeded expression as string without Escape function nor
parameterized query.
I'm wondering if this was already discussed, since I believe this is a
pretty common issue. MS strongly discourage building expression like this
for SQL server to prevent SQL code injection attack. Well, DataSet maybe
safe since it's not as capable as SQL server, but we have similar model not
only in DataSet but also in XPath, XQuery, WinFS, etc., and we developers
must keep remember what are the escape characters for which. Developers have
to pay attention that what security risk it involves if injection happen.
Injection against WinFS sounds like pretty risky.
Wouldn't it be nice if every class that implements internal
compiler/interpreter has at least Escape() and Unescape()? Parameterized
query is also fine with me, but that might not be as easy as Escape() and
Unescape() I guess.
Does anyone have any thoughts on this?
Thanks,
Koji Ishii
http://www.gluesoft.co.jp/en/