SQL Injections and parameterized SQL

L

LtyChan

This might be a stupid question - but can I be sure to avoid SQL injections
by using parameterized queries? Will SQL Server or ADO.NET kill any attempts
to drop or update data through sql injections (ei '; update ..... ;--), and
can see a log of any attempts somewhere (will SQL Server warn or fail)? Can
I read about what really happens when using parameterized queries
(SQLClient) somewhere?

Thanks
 
R

Robert Simpson

In a parameterized query, the SQL statement with its parameter markers is
prepared, and then the parameters are pushed separately. The values inside
the parameters are not parsed by the SQL query parser, so there's nowhere in
the codepath for an injection to occur.

Robert
 
M

Miha Markic

Hi there,

LtyChan said:
This might be a stupid question - but can I be sure to avoid SQL
injections by using parameterized queries?
Click to expand...

Yes. 100%.

Will SQL Server or ADO.NET kill any attempts
to drop or update data through sql injections (ei '; update ..... ;--),
Click to expand...

SQL server will treat all parameter values as data and not as a part of sql
statement.

and
can see a log of any attempts somewhere (will SQL Server warn or fail)?
Click to expand...

No. SQL server (or any other database) doesn't care - it is all data from
SQL server perspective.

Can
I read about what really happens when using parameterized queries
(SQLClient) somewhere?
Click to expand...

Parameter values are transfered separately from sql statement and are not
part of statement. Thus one can inject code into parameter values - ok, one
can inject code but the code won't be executed...
 
L

LtyChan

Thanks guys,

Parameterized queries it is then ;) (know that Store Procedures is better -
but i like to keep it in .net code)

Thanks
 
W

William \(Bill\) Vaughn

As many have said, SQL injection is virtually impossible when using
parameterized queries. While I discuss this problem in my book I don't show
how to do it. There are sites and sessions that do so those that would want
to carry out data attacks can do so quite easily.
What was the meaning of the comment about SPs and keeping it in .NET?

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Parameterized queries to different data providers 4
Calling Parameterized Query Using SQL Syntax 3
is there a performance benefit when using Prepare() on command thatuses plain sql? 1
ADO.NET Parameterized Queries - Better Performance ? 5
SQL Parameterized Command versus Custom String 5
SQL Injections and common countermeasures 2
Parameterized queries 5
Parameterized SQL with IN Clause 15

Top