Colin Bowern
Guest
|
 Posted:
Fri Sep 09, 2005 4:52 pm Post subject:
Protecting against SQL Injection Attacks with CSOLEDB |
|
|
Having read Mike Howard's Writing Secure Code in the past I'm deeply
concerned with security, especially when there is commerce involved. I
noticed that I am unable to use parameterized commands though with CSOLEDB.
Creating an OleDbCommand with the following CommandText:
SELECT [KeyInfo.UserId] FROM [UserObject] WHERE [KeyInfo.UserId] = ?
results in "The ICommandWithParameters interface is not supported by the
'Commerce.DSO' provider. Command parameters are unsupported with the
current provider.".
Are there any better approaches? The only way I've managed to get a query
working is as follows:
dbCommand.CommandText = "SELECT [" + propertyName + "] FROM [" + profileType
+ "] WHERE [" + propertyName + "] = '" + propertyValue.Replace("'", "''") +
"'";
But that, of course, could be easily be circumvented as noted in Howard's
book. So I'm left looking to see if anyone else has found a more secure way
to interface with CSOLEDB?
Thanks,
Colin |
|
Joe Wasson [MSFT]
Guest
|
| Posted:
Fri Sep 16, 2005 8:52 pm Post subject:
RE: Protecting against SQL Injection Attacks with CSOLEDB |
|
|
CSOLEDB is pretty strict about what it accepts in a query. It does its own
SQL parsing and then recreates the query for Microsoft SQL Server or Active
Directory, based on the underlying datasource(s) for the profile. Doing
the single quote replacement will generally work. As you stated, CSOLEDB
doesn't support parameterized queries so single-quote replacement is your
only option.
-joe
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Colin Bowern" <colin.bowern@nospam.officialcommunity.com>
Subject: Protecting against SQL Injection Attacks with CSOLEDB
Date: Fri, 9 Sep 2005 12:11:45 -0400
Lines: 26
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
X-RFC2646: Format=Flowed; Original
Message-ID: <#L9ptkVtFHA.3596@TK2MSFTNGP15.phx.gbl>
Newsgroups: microsoft.public.commerceserver.general
NNTP-Posting-Host: mail.officialcommunity.net 207.188.77.211
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.commerceserver.general:3398
X-Tomcat-NG: microsoft.public.commerceserver.general
Having read Mike Howard's Writing Secure Code in the past I'm deeply
concerned with security, especially when there is commerce involved. I
noticed that I am unable to use parameterized commands though with CSOLEDB.
Creating an OleDbCommand with the following CommandText:
SELECT [KeyInfo.UserId] FROM [UserObject] WHERE [KeyInfo.UserId] = ?
results in "The ICommandWithParameters interface is not supported by the
'Commerce.DSO' provider. Command parameters are unsupported with the
current provider.".
Are there any better approaches? The only way I've managed to get a query
working is as follows:
dbCommand.CommandText = "SELECT [" + propertyName + "] FROM [" + profileType
+ "] WHERE [" + propertyName + "] = '" + propertyValue.Replace("'", "''") +
"'";
But that, of course, could be easily be circumvented as noted in Howard's
book. So I'm left looking to see if anyone else has found a more secure way
to interface with CSOLEDB?
Thanks,
Colin |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in