0

I have some questions about how to prevent sql injectiion with the help of parameterised queries

sqlQuery="SELECT * FROM usersTbl WHERE username=@uname AND password=@passwd";
SqlCommand cmd = new SqlCommand(sqlQuery, conn);

SqlParameter[] par = new MySqlParameter[2];

par[0] = new SqlParameter("@uname ", SqlDbType.VarChar,25);
par[1] = new SqlParameter("@passwd", SqlDbType.VarChar, 45);

And then I attach them to the SqlCommand and ExecuteScalar it.

For example the client insert the string ;DROP -- in the password variable, will the parameterised query prevent the DROP query to be executed ?

Thank you

Improve this question
0

2 Answers 2

Reset to default
4

Of course, when the client pass ';DROP -- value in the password field, this will be parsed into

SELECT * 
FROM usersTbl 
WHERE username=@uname AND password=''';DROP --'

The command object will automatically escapes any single quotes found on the value.

UPDATE 1

As, I already told you, it won't. Because the quotes will be escaped by doubling the quotes. Example,

string pass_val = "'; DROP usersTbl;--";

when you passed that into command and its value is parameterized, this will become

SELECT * FROM usersTbl WHERE ... AND password='''; DROP usersTbl;--'

and NOT

SELECT * FROM usersTbl WHERE ... AND password=''; DROP usersTbl;--
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

SELECT * FROM usersTbl WHERE username=@uname AND password=''; DROP usersTbl;-- So the @passwd parameter is ''; DROP usersTbl;--. Will it execute it? because the #passwd is VarChar(string)
Parametrized queries isn't the same as escaping query values. When using parametrized queries, the parameters and the actual query are two distinct parts.
So it there any way to bypass it and make the DROP(or other SQL commands) to be executed?
@user1501674 hmmm are you trying to get anyway to by pass parameterized queries? unfornately, no.
So what you are telling me is that as long as I'm using parameterised queries I'm utterly protected from SQL injections ?
1

Yes, the parameterized query will correctly escape any characters that would allow this to happen.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.