Sanitize table/column name in Dynamic SQL in .NET? (Prevent SQL injection attacks) -

-

i generating dynamic sql , ensure code safe sql injection.

for sake of argument here minimal example of how generated:

var sql = string.format("insert {0} ({1}) values (@value)",     tablename, columnname);

in above, tablename, columnname, , whatever bound @value come untrusted source. since placeholders being used @value safe sql injection attacks, , can ignored. (the command executed via sqlcommand.)

however, tablename , columnname cannot bound placeholders , therefor vulnerable injection attacks. since "truly dynamic" scenario, there no whitelist of tablename or columnname available.

the question thus:

is there standard, built-in way check and/or sanitize tablename , columnname? (sqlconnection, or helper class, etc.) if not, way perform task without using 3rd party library?

notes:

  • all sql identifiers, including schema, should accepted: e.g. [schema].[my table].column "safe" table1.
  • can either sanitize identifiers or detect invalid identifier. (it not need ensure table/column valid in context; resulting sql can invalid, must "safe".)

update:

just found this, , thought interesting: there sqlfunctions.quotename function in .net4 (ef4?). okay, doesn't really me here...

since using sqlconnection, assumption sql server database.

given assumption, validate table , field names using regular expression follows sql server identifier rules defined in msdn. while complete , utter novice @ regular expressions, did find 1 should come close:

[\p{l}{\p{nd}}$#_][\p{l}{\p{nd}}@$#_]*

however, regular expression not address sql server keywords , not ensure table and/or column exists (although indicated wasn't of issue).

if application, first ensure end user not trying perform injection rejecting request contained semi-colons (;).

next, validate table existence removing valid name delimiters (", ', [, ]), splitting table name period see if schema specified, , executing query against information_schema.tables determine existence of table.

for example:

select 1    information_schema.tables   table_name = 'tablename'  ,    table_schema = 'tableschema'

if create query using parameters, should further protect injection.

finally, validate existence of each column name performing similar set of steps, using information_schema.columns determine validity of column(s) once table has been determined valid.

i fetch list of valid columns table sql server, verify each request column in list within code. way tell columns in error , provide feedback user.


Comments

Post a Comment

Popular posts from this blog

jasper reports - Fixed header in Excel using JasperReports -

-
how can create excel report fixed header using japserreports? mean need header fixed when scroll excel file. this possible adding couple properties in jrxml file each report. take @ advanced excel features freeze panes. if wanted freeze after first column header (down left side basically) this: <statictext> <reportelement style="sans_bold" mode="opaque" x="0" y="60" width="104" height="20" forecolor="#ffffff" backcolor="#666666"> <property name="net.sf.jasperreports.export.xls.auto.filter" value="start"/> <property name="net.sf.jasperreports.export.xls.column.width" value="110"/> <property name="net.sf.jasperreports.export.xls.freeze.column.edge" value="left"/> </reportelement> &
Read more

media player - Android: mediaplayer went away with unhandled events -

-
i need duration of audio file series of voice announcements need play app. have added audio files resources , play fine. sample code below works perfect intended purpose: return duration of audio files. here code: float getdurationofaudioresource(locationenum loc, context context){ float duration = 0; try { mediaplayer mp; mp = mediaplayer.create(context, getaudioresource(loc)); duration = mp.getduration(); mp.release(); mp = null; } catch (illegalstateexception e) {e.printstacktrace(); logerror(25, "testdescitem:fault::could not open mediaplayer object audio resource.");} return duration; } here's weird thing. code called in main activity prepares set of audio instructions given test. there no errors within activity. second activity called, long string of errors on logcat. 03-07 13:23:43.820: i/actionlogger(21435): gentest_info_test #0 created. 03-07 13:23:43.830: i/actionlogger(21435): gente
Read more

python - ('The SQL contains 0 parameter markers, but 50 parameters were supplied', 'HY000') or TypeError: 'tuple' object is not callable -

-
import pyodbc,nltk,array cnxn = pyodbc.connect('driver={mysql odbc 5.1 driver};server=127.0.0.1;port=3306;database=information_schema;user=root; password=1234;option=3;') cursor = cnxn.cursor() cursor.execute("use collegedatabase ;") cursor.execute("select * sampledata ; ") cnxn.commit() s=[] j=[] x=[] words = [] w = [] sfq = [] pos=[] entry in cursor: s.append(entry.injury_type),j.append(entry.injury_desc) nltk.tokenize import punktwordtokenizer nltk.corpus import stopwords tokenizer = punktwordtokenizer() english_stops = set(stopwords.words('english')) in range(0,26): # filter stop words tokenizer.tokenize(j[i]) w.append([word word in tokenizer.tokenize(j[i]) if word not in english_stops]) in range(0 , 26):#converting tokenzied text ito string sfq.append(" ".join(w[a])) replacers import regexpreplacer replacer = regexpreplacer() in range (0,26):#pos tagging replacer.repl
Read more