Prevent sql injection with dynamic sql

Text version of the video
http://csharp-video-tutorials.blogspot.com/2017/04/prevent-sql-injection-with-dynamic-sql.html

Healthy diet is very important both for the body and mind. If you like Aarvi Kitchen recipes, please support by sharing, subscribing and liking our YouTube channel. Hope you can help.
https://www.youtube.com/channel/UC7sEwIXM_YfAMyonQCrGfWA/?sub_confirmation=1

Slides
http://csharp-video-tutorials.blogspot.com/2017/04/prevent-sql-injection-with-dynamic-sql_5.html

All SQL Server Text Articles
http://csharp-video-tutorials.blogspot.com/p/free-sql-server-video-tutorials-for.html

All SQL Server Slides
http://csharp-video-tutorials.blogspot.com/p/sql-server.html

All SQL Server Tutorial Videos

All Dot Net and SQL Server Tutorials in English
https://www.youtube.com/user/kudvenkat/playlists?view=1&sort=dd

All Dot Net and SQL Server Tutorials in Arabic
https://www.youtube.com/c/KudvenkatArabic/playlists

In this video we will discuss, how to prevent SQL injection when using dynamic SQL.

In Part 140, we have implemented “Search Page” using dynamic SQL. Since we have used parameters to build our dynamic SQL statements, it is not prone to SQL Injection attack. This is an example of good dynamic SQL implementation.

I have seen lot of software developers, not just the beginners but even experienced developers, buidling their dynamic sql queries by concatenating strings instead of using parameters without realizing that they are opening the doors for SQL Injection.

Please check my blog at the following link for code used in the demo.
http://csharp-video-tutorials.blogspot.com/2017/04/prevent-sql-injection-with-dynamic-sql.html

Since we are concatenating the user input values to build the dynamic sql statement, the end user can very easily inject sql. Imagine, what happens for example, if the user enters the following in the “Firstname” textbox.

‘ Drop database SalesDB —

With the above SQL injected into the “Firstname” textbox, if you click the “Search” button, the following is the query which is sent to SQL server. This will drop the SalesDB.

Select * from Employees where 1 = 1 AND FirstName = ” Drop database SalesDB –‘

On the other hand, if you use parameters to build your dynamic SQL statements, SQL Injection is not an issue. The following input in the “Firstname” textbox, would not drop the SalesDB database.

‘ Drop database SalesDB —

The text the user has provided in the “Firstname” textbox is treated as the value for @Firstname parameter. The following is the query that is generated and executed.

exec sp_executesql N’Select * from Employees where 1 = 1 AND FirstName=@FirstName’,N’@FirstName nvarchar(26)’,@FirstName=N”’ Drop database SalesDB –‘

We don’t have this problem of sql injection if we are using stored procedures. “SearchPageWithoutDynamicSQL.aspx” is using the stored procedure “spSearchEmployees” instead of dynamic SQL. The same input in the “Firstname” texbox on this page, would generate the following. Notice, whatever text we typed in the “Firstname” textbox is treated as the value for @FirstName parameter.

exec spSearchEmployees @FirstName=N”’ Drop database SalesDB –‘

An important point to keep in mind here is that if you have dynamic SQL in your stored procedure, and you are concatenating strings in that stored procedure to build your dynamic sql statements instead of using parameters, it is still prone to SQL injection. If this is not clear at the moment don’t worry, we will discuss an example of this in out next video.

So in summary, while dynamic sql provides great flexibility when implementing complicated logic with lot of permutations and combinations, if not properly implemented it may open doors for sql injection. Always use parameters to build dynamic sql statements, instead of concatenating user input values.

Another benefit of using parameters to build dynamic sql statements is that it allows cached query plans to be reused, which greatly increases the performance. We will discuss an example of this in our upcoming videos.