Creating a database in C # and SQL injection

Question

Creating a database in C # and SQL injection

I have the following code used to create some database from a C # application

SqlConnection myConnection = new SqlConnection(ConnectionString);
string myQuery = "CREATE DATABASE " + tbxDatabase.Text; //read from textbox
myConnection.Open();
SqlCommand myCommand = new SqlCommand(myQuery, myConnection);
myCommand.ExecuteNonQuery();

Now I'm worried if this is safe, will C # accept the hacker's input as “A; DROP TABLE B” or something like that? How to make it safer?

+5

c # sql .net sql-server

Rrm Feb 26 '13 at 15:06

source share

5 answers

+1

SP007 26 . '13 15:12

John woo · Answer 1 · 2013-02-26T15:08:40+0000

Table and column names cannot be parameterized, but for the first line of protection, wrap the table name with a delimiter, such as curly braces,

string myQuery = "CREATE DATABASE [" + tbxDatabase.Text + "]";

or create a user definition function that checks the input value, for example

private bool IsValid(string tableName)
{
    // your pseudocode
    // return somthing
}

then in your code

if (IsValid(tbxDatabase.Text))
{
    SqlConnection myConnection = new SqlConnection(ConnectionString);
    string myQuery = "CREATE DATABASE [" + tbxDatabase.Text + "]";
    myConnection.Open();
    SqlCommand myCommand = new SqlCommand(myQuery, myConnection);
    myCommand.ExecuteNonQuery();
}
else
{
    // invalid name
}

Jorge Alvarado · Answer 2 · 2013-02-26T15:10:14+0000

, , - , , .

# ypu ,

David J · Answer 3 · 2013-02-26T15:09:34+0000

.

EDIT: , , CREATE , .

, , , . , -, a-z, A-Z.

StrayCatDBA · Answer 4 · 2013-02-26T16:23:02+0000

- sql QUOTENAME(), .

CREATE PROC example_create_db ( @db_name NVARCHAR(256) )
AS 
    BEGIN
        DECLARE @sql NVARCHAR(1000)
    /*
        QUOTENAME() adds the surrounding []'s
    */

        SET @sql = 'CREATE DATABASE ' + QUOTENAME(@db_name) 
        EXEC sp_executesql
    END

Creating a database in C # and SQL injection

More articles: