Change GetPaged and other methods to build Parameterized queries from the string whereclause

ssteenkiste / nettiers

Automatically exported from code.google.com/p/nettiers

1 stars 0 forks source link

Change GetPaged and other methods to build Parameterized queries from the string whereclause #371

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago

This would primarily safeguard against SQL Injection.

I have thought about converting it to use the parameterized approach but I am 
not that familiar with the internals of netTiers.

Still my guess is that the best place is the core GetPaged methods, they should 
create parameters from the query. 

But I fear It would be too big a change even though it will make things much 
more secure..

Ref:http://community.codesmithtools.com/nettiers/f/16/p/11788/45200.aspx

Original issue reported on code.google.com by vaibhavk...@gmail.com on 15 Feb 2011 at 1:35

GoogleCodeExporter commented 9 years ago

A stop gap measure would be to use the Data.Utility.DetectSqlInjection() in all 
the places that take a string query.

Raise an exception or take other appropriate actions when SQL Injection is 
detected.

Original comment by vaibhavk...@gmail.com on 15 Feb 2011 at 1:39

GoogleCodeExporter commented 9 years ago

Hello,

Do you have a patch of the changes you made to the current version of the 
templates?

Thanks
-Blake Niemyjski

Original comment by bniemyjski on 15 Feb 2011 at 3:31

Changed state: Accepted
Added labels: Milestone-Release-3.0, Priority-High
Removed labels: Priority-Medium

GoogleCodeExporter commented 9 years ago

Original comment by vaibhavk...@gmail.com on 16 Feb 2011 at 5:20

Attachments:

GridViewSearchPanel.cs.cst.patch

GoogleCodeExporter commented 9 years ago

Here is another option. This will detect SQL Injection for all GetPaged 
methods.. 
File: /DataAccessLayer.SqlClient/SqlEntityProviderBase.generated.cst

//Detect SQL Injection
if (Utility.DetectSqlInjection(whereClause) || 
Utility.DetectSqlInjection(orderBy))
{
    throw new Exception("SQL Injection Detected.");
}

I am not sure if throwing an exception is the best way. Alternatively we could 
do this:

//Detect SQL Injection
if (Utility.DetectSqlInjection(whereClause) || 
Utility.DetectSqlInjection(orderBy))
{
    count = 0;
    return rows;
}

Original comment by vaibhavk...@gmail.com on 16 Feb 2011 at 6:10

Attachments:

GoogleCodeExporter commented 9 years ago

Sorry for too many comments.. :)

This patch contains changes for all DB types. SQL, SQL CE, Oracle, Generic

Hope it helps. Thanks.

Original comment by vaibhavk...@gmail.com on 16 Feb 2011 at 6:39

Attachments:

Sql.Injection.Detect.patch

GoogleCodeExporter commented 9 years ago

Hello,

Thanks for this.

Thanks
-Blake Niemyjski

Original comment by bniemyjski on 16 Feb 2011 at 4:44

Removed labels: Milestone-Release-3.0