3 
command.CommandText = String.Format("CREATE LOGIN {0} WITH password='{1}'", loginName, password);

loginName and password are based on some user input

I realize that it's bad practice to do it int this way but how to avoid sql injections here?

Improve this question
0

5 Answers 5

Reset to default
8

Call sp_addlogin instead - it's already parameterized

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

good point. are there other sql products that use this same syntax to create logins?
Ok, I can do it this way. Now I'm facing another problem - I need to create database. CREATE DATABASE doesn't seem feasible to be parameterized either.
Its worth noting that, the MSDN page for sp_addlogin has a warning that the proc will not be available in a future release of SQL server, and therefore shouldn't be used in new developments. See here: msdn.microsoft.com/en-us/library/ms173768.aspx
0

Here's how to parameterize your SQL. You may also want to check out this article on writing a DAO that handles this type of thing. I'm not sure if you can parameterize the LoginName. You're probably best off calling sp_addlogin like the previous poster said.

       command.CommandText=  @"CREATE LOGIN @LoginName WITH password=@Password";
        command.CommandType = CommandType.Text;
        command.Parameters.Add(new SqlParameter()
            {
                ParameterName = "@LoginName",
                Value = "MyLoginNameValue",
                SqlDbType = SqlDbType.NVarChar,
                Size = 50
            });
        command.Parameters.Add(new SqlParameter()
            {
                ParameterName = "@Password",
                Value = "MyPasswordValue",
                SqlDbType = SqlDbType.NVarChar,
                Size = 50
            });
Improve this answer

1 Comment

Nope, that doesn't work - it throws an exception "Incorrect syntax near '@LoginName'."
0

It seems like the most right way to do it is to use SQL Server SMO SDK. I don't care of any other SQL engines since we'll never move from SQL Server for sure.

Improve this answer

Comments

0

You can parameterize such queries by wrapping your DDL query in an exec as follows:

command.CommandText = "exec ('CREATE DATABASE ' + @DB)"

If you then add the parameter for @DB as usual this should work (in t-sql at least).

It should be possible to use CREATE LOGIN in the same fashion.

Improve this answer

1 Comment

Ultimately string concatenation is still being performed, just inside the database engine, so I don't see how this mitigates against injection (e.g. @DB = '\'1=1')
-1

Can try something like this:

SqlCommand cmd = new SqlCommand(
                "CREATE LOGIN @login WITH password=@pwd", conn);
SqlParameter param  = new SqlParameter();
param.ParameterName = "@login ";
param.Value         = usertextforlogin; 
cmd.Parameters.Add(param);

param  = new SqlParameter();
param.ParameterName = "@pwd";
param.Value         = usertextforpwd;   

cmd.Parameters.Add(param);
Improve this answer

1 Comment

you cannot parameterize object-names in T-SQL, and the CREATE LOGIN statement uses an object-name, not a string/text value for its arguments.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.