2

I have two questions 1. I have a list of string which is the column names. How can i use it in the SQL query? 2. Is the method prone to SQL injection?

This is what i have right now,

List<string> Columnnames = new List<string>();

 cmd = new SqlCommand("Select "+Columnnames+" from test");
Improve this question
11
  • Where do the column names come from? User input? And why do you need it to be dynamic? Commented Sep 3, 2014 at 10:42
  • the only way to truly prevent SQL injection is having mostly everything as View or store procedure in SQL itself with very good triggers and validation. Commented Sep 3, 2014 at 10:44
  • yes it is user input from a listbox with all column names. Commented Sep 3, 2014 at 10:45
  • 1
    @Franck that is simply incorrect; sorry, but it is. Parameterized sql - completely separate to views, sprocs, etc - does not risk sql injection Commented Sep 3, 2014 at 10:49
  • @user3272054 never ever trust the UI ;p Commented Sep 3, 2014 at 10:50

5 Answers 5

Reset to default
1

To answer your questions:

Question 1 - change your code to something like:

List<string> Columnnames = new List<string>();

// Code that populates Columnnames here

cmd = new SqlCommand("Select " + string.Join(",", Columnnames) + " from test");

Question 2 - depends on how you are populating Columnnames. If this is being populated from input over the web then yes.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks that works. The Columnnames is populated over the user input from a listbox with all column name. Is there still a chance for SQL Injection?
@user3272054 what is the UI here? web? winform? WPF? If the answer is "web", then the answer is "yes, absolutely; trivially easy". If the answer is "winform" / "WPF", then "kinda probably yes, but they'd have to really work hard at it, and it would be easier to just go direct to your sql server, since they probably have access"
@user3272054 if it is winforms, and you are doing database access code, then presumably your user already has access to the database server. Asking about SQL injection is almost moot (except for simple things like fixing apostrophe problems) - they can just waltz into the database server
1

If the column names are coming from an outside source, then yes, you would have to concatenate them into the string. You should ideally use [/], but that just allows for column names with spaces etc - it doesn't change anything about SQL injection, and yes: allowing column names to be specified by a user would be a SQL injection risk, unless you white-list them first. So perhaps:

if(Columnnames.Count == 0) throw new ArgumentException(
    "You need to specify at least one column");

var sql = new StringBuilder("select ");
bool first = true;
foreach(var name in Columnnames) {
    if(!IsKnownColumnName(name)) { // <=== very important test
        throw new ArgumentException("Invalid column name: " + name);
    }
    sql.Append(first ? "[" : ",[").Append(name).Append("]");
    first = false;
}
sql.Append(" from test");
...
cmd.CommandText = sql.ToString();
Improve this answer

Comments

0

You can convert list of Columnnames to comma separated column values. Like this:

string columns = Columnnames.Aggregate((x,y) => x + "," + y);
cmd = new SqlCommand("Select "+columns+" from test");

This method is prone to sql injection as someone can easily send column name like column ;drop database yourDB so its a bad idea.

Improve this answer

Comments

0

First check if Columnames haves any value. Second make a function to create something like dus columna, columnb

SqlCommend should look like this select columna , columb from test;

Improve this answer

Comments

0

You should concatenate the column names to the query so that each column name is separated with a comma from the next, e.g. (pseudo)

define sql = "SELECT "

for columnName in columnNames:
    concatenate sql,columnName

    if columnName is not last:
        concatenate sql,","
    end if
end for

concatenate sql," FROM test"

Vulnerability depends on the source of the column names. If you have internal immutable list(s) of column names, then there's no risk but if they somehow originate from an external source, such as a user using the application, then it certainly is prone to SQL-injection.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.