4

I've developed a custom web part for SharePoint, and I'm concerned about its security. The web part is essentially a quiz framework that begins by having a user 'register'; they simply enter their name and email address. For successful quizzes, the result is recorded in a list, and those registration variables are placed directly into the list.

Should I be concerned about SQL injection attacks? Is the data escaped by SharePoint before it's added to the list? Or, does SharePoint use named parameters with a prepared statement? Alternatively, does it just go in verbatim?

Thanks for any insight.

UPDATE

I should maybe rephrase that I am inserting code into a SharePoint list, so it's not going 'directly' into the database. I'm uncertain about the process that takes places (specifically regarding security) when an item is inserted into a list and (I'm assuming) into a database table somewhere. Here is some of the code I'm using:

Get user input through standard HTML input

 output.Write("<div>Please enter your e-mail address</div><div><input type=\"text\" value=\"\" size=\"30\" name=\"takerEmail\"></div>");

Here is how the data is inserted

            using (SPSite siteSuccessWrite = new SPSite("http://www.mycompany.com"))
            {
                using (SPWeb webSuccessWrite = siteSuccessWrite.OpenWeb())
                {
                    SPList insertResults = webSuccessWrite.Lists[resultsList];
                    SPListItem quizEntry = insertResults.Items.Add();

                    quizEntry["firstName"] = firstName;
                    quizEntry["lastName"] = lastName;
                    quizEntry["email"] = email;
                    quizEntry["phone"] = phone;
                    quizEntry["department"] = dept;
                    quizEntry["score"] = score;

                    quizEntry.Update();
                }
            }
Improve this question
1
  • Do show some code. You said "variables are directly put into the list" - how is that happening? Show us the code where the user entered value is converted to a "server value" and we can help you out. Commented Mar 16, 2011 at 23:45

2 Answers 2

Reset to default
5

When using the object model you won't have to worry about SQL Injection as Sharepoint handles that for you (it uses parameterized stored procedures internally).

You DO have to worry about XSS and the likes though when showing the Quiz Results to the user/judge though, as unescaped HTML can easily call the SharePoint Web Services/Client Object Model and do stuff in the context of the current user.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Are you writing the SQL yourself? If not, I'd test it by conducting some SQL injection attacks of your own. Try entering data like John Smith' -- into a name field and see if the quote and dashes end up in the database. If they don't (or you get no data at all), there may be a SQL injection vulnerability. (Note that this is not an exhaustive test - so don't rely on it)

I would assume that SharePoint contains protection against SQL injection, otherwise every 2nd government and large enterprise site would be done over. (On second thoughts, disregard that :)

For Cross-Site Scripting attacks, try some of the ones from here: http://ha.ckers.org/xss.html

Improve this answer

4 Comments

I tested by entering some dashes, quotes, and spaces and it showed up in the list just as I entered it. The question remains as to how it is stored in the database. The characters could be encoded/escaped properly. Since I don't have direct access, I'll have to speak with the database administrator tomorrow. I'll be sure to report on my findings.
If stuff is showing up on the site exactly as you entered it, after going via the database, then it's working properly. If there was SQL injection going on, then some of your input would not have made it to the database row but instead done other (potentially bad) things.
More to the point, it doesn't matter how it's stored in the database. What matters is (a) how it gets there and (b) how it's displayed when it's retrieved.
Good point about the sql injection not being written the database - I didn't think that through initially.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.