0

I'am working on a SQL engine and to prevent sql injection i have used sql parameters.

But on the other hand I refer the tablename from the methodparameter

it look's like this for a simple example:

public void dosomething(string tablename)
{
string query = "select productname, price from " + tablename;

...

}

Now my question: is this unsecure?

Improve this question
4
  • A table name cannot pass with sql parameters. Your sample is insecure if multiple statement is able to run, imagine tablename = "item; Drop table item" Commented May 26, 2015 at 9:41
  • It's safe if you have control of the table name. It would be very dangerous if you expect the user to supply the name without some very thorough sanitisation Commented May 26, 2015 at 9:42
  • could you give a sample how to secure this function? Commented May 26, 2015 at 9:44
  • See stackoverflow.com/a/17947836/1287352 Commented May 26, 2015 at 9:55

2 Answers 2

Reset to default
0

You could check this yourself, what would happen if you ran this like so:

dosomething("Product;DROP TABLE Product;--")

Which assumes a table of product. Particularly going to be a problem if your tablename parameter is coming from user input.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

ok, thank you for the quick answer, do you have a solution to prevent this?
0

It is definitely unsecure if user is supplying the tablename. As best practice ,instead of constructing the statements , they can be mapped or selected based on user inputs via ifs-case etc over predefined strings in your code. This will eliminate basic sql injection attacks like Eric said .

Also ,one more layer can be introduced via OOPS tricks so that DDL,DML and DCL are clearly separated in your query engine so that even the rare sql injection attacks are eliminated.

Improve this answer

1 Comment

It's not 'definitely insecure'. It's only a problem if the OP is allowing a user to supply the tablename directly. If the tablename is being supplied by the software without user input there's no problem here at all.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.