{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 SAY GOODBYE 的问题《C# and MySQL .NET Connector - Any way of preventin》','https://www.manongdao.com/q-1182535.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
My idea is to create some generic classes for Insert/Update/Select via a C# (3.5) Winforms app talking with a MySQL database via MySQL .NET Connector 6.2.2.
For example:
public void Insert(string strSQL)
{
if (this.OpenConnection() == true)
{
MySqlCommand cmd = new MySqlCommand(strSQL, connection);
cmd.ExecuteNonQuery();
this.CloseConnection();
}
}
Then from anywhere in the program I can run a query with/without user input by just passing a SQL query string.
Reading around on SO is starting to give me the indication that this may lead to SQL injection attacks (for any user-input values). Is there anyway of scrubbing the inputted strSQL or do I need to go and create individual parameterized queries in every method that needs to do a database function?
UPDATE1:
My Final solution looks something like this:
public void Insert(string strSQL,string[,] parameterValue)
{
if (this.OpenConnection() == true)
{
MySqlCommand cmd = new MySqlCommand(strSQL, connection);
for(int i =0;i< (parameterValue.Length / 2);i++)
{
cmd.Parameters.AddWithValue(parameterValue[i,0],parameterValue[i,1]);
}
cmd.ExecuteNonQuery();
this.CloseConnection();
}}
YES you need to create parameterized queries, anything else is going to introduce a risk of SQL injection
You should definitely be using parameterized queries to keep yourself safe.
You don't have to hand create parameterized queries each time though. You could modify the generic method you provided to accept a collection of
MySqlParameters:I should also mention that you should be VERY careful about cleaning up your connections after you're finished using them (typically handled in a
usingblock, but I don't see that level of detail in your code example).You can't really do this - you'd need to write a SQL parser which to say the least is non-trivial and error prone.
Bite the bullet and parametrize your queries.
I would suggest utilizing IDataParameter objects to parameterize your queries.
if you use
MySqlParameterand do not generate plain string queries you are safe.It's impossible to detect SQL injection after the fact (in other words, once you've constructed a dynamic query string, it's impossible to differentiate what the "real" SQL is versus any injected SQL).
If your intent is to allow users to execute arbitrary SQL, then it would seem like you wouldn't be too worried about SQL injection (since that is the aim of SQL injection).