1

I want to avoid SQL Injections. I am posting the question by simplifying the problem I am working at.

The client wants to view a set of columns from a table. It passes the table name and a list of columns. The client is aware of the table name and the all possible list of columns through a secured API.

On the server, I am constructing a SELECT query using the table name and list of columns passed.

I cannot use a view.

To avoid SQL injection, this is what I am planning to do.

  1. Check if the columns passed are part of the all possible list of columns.
  2. Check if column contains any characters like =, -, + to avoid any security issues.

Am I missing anything here?

Improve this question
3
  • 2
    You should probably check the OWASP SQL injection cheat sheet to make sure: owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet Commented Jul 30, 2018 at 7:15
  • 1
    Thank you @JeroenSteenbeeke. If I understand correctly my #1 is 'Option 3: White List Input Validation' in the cheat sheet. Thanks again for your input. Commented Jul 30, 2018 at 7:28
  • 1
    That seems the most applicable in your case, yes Commented Jul 30, 2018 at 7:35

1 Answer 1

Reset to default
4

Query the catalog to check that the entered table name really exists in the database. (And likewise for checking that the entered column names really are columns of the named table.)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

And make that query a parameterized one, otherwise it will be just another query vulnerable to SQLi. :)
Yes, obviously :-)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.