stackoom
  简体   繁体   中英

Do I have to worry about inserts/updates/deletes/injection attacks when I use the following SqlDataAdapter?

 原文  2011-11-16 15:55:03       c#/ sqldataadapter

Question

Do I need to do anything in order to prevent inserts/updates/deletes/injection attacks when I'm using the following code?

public static DataSet getReportDataSet(string sqlSelectStatement)
{
    SqlDataAdapter da = new SqlDataAdapter(sqlSelectStatement, new SqlConnection(GlobalVars.ConnectionString));
    DataSet reportData = new DataSet();
    da.Fill(reportData, "reportData");
    return reportData;
}

The idea behind this is that I'll be extracting the sql from a series of Crystal Reports, pulling the data for each report from the MS SQL Server, binding the data to the reports and then exporting the filled reports to PDF.

I know that you can use the built in functionality to get the reports to pull their own data, but my tests have shown that pushing the data to the reports is a whole bunch faster. My only issue with this is that I have no control over the reports that will be ran.

People will be required to provide their own login credentials for the SQL Server, so they will only be able to see data from the databases that they have permissions to... but some of the users have write permissions, and I'm worried that blindly running an sql string pulled from a Crystal Report could potentially allow for an insert/update/delete/injection attack...

I think that I might be worrying for nothing, but I can't find anything that outright states if this could be used for things aside from selects.

Edit:

So from the initial comments, I think that I do have to worry about SQL statements aside from SELECTs. So my question now becomes; is there some whay to specify that an SqlConnection can only be used for 'reads' (ie Selects).

2 answers

solution1
 2  2011-11-16 16:02:28

The problem is not the adapter. The problem is, how you pass parameters to your sql command. You should not do things like

string sql = "SELECT * FROM t WHERE name='" + name +"'";

Instead use parameters:

SqlCommand cmd = new SqlCommand(SELECT * FROM t WHERE name = @name", conn);
SqlParameter param  = new SqlParameter();
param.ParameterName = "@name";
param.Value = "John Doe";
cmd.Parameters.Add(param);

solution2
 1 ACCPTED  2011-11-16 15:58:58

In general I would say: Yes, you have to.

But maybe Crystal Reports quotes the SQL-String already. Try an "attack" by yourself and see what sqlSelectStatement contains.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Do I have to refresh entities after bulk updates / deletes with HQL? Do I need to worry about blocking tasks? When to worry about SQL injection protection Do I have to worry about garbage collection in this c# EF scenario? Do I have to worry about memory leaks with Rx.NET FromEventPattern? What does x:FieldModifier=“Private” do and should I worry about it? Do I need to worry about optimal drawing on canvas? Do I need to worry about Process in foreach loop How do I prevent malicious SQL injection attacks while allowing benign SQL injection? Should I worry about bit order?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM