I have a project that I am working on that is essentially a self service database restoration / backup tool for client machines that run a database locally on their machines and contain sensitive information. Due to the nature of the business, and the amount of clients we have I simply cannot create stored procedures to use on the database with the program I am creating.
I am aware that using raw SQL statements in string format is highly susceptible to injection attacks. But with limited access to a database (essentially just to restore and back-up the database) I am asking what is the most effective and secure method to run these commands without compromising security?
Clients would simply choose the option "restore" or "backup" and the backup would only create a full copy-only backup of the database. The file location for both the backup and the restore would be set in the code an be unmodifiable.
