This SQL query is injection safe
I think the starting code is ok:
SqlCommand param = new SqlCommand();
SqlGeometry point = SqlGeometry.Point(center_lat,center_lng,0);
SqlGeometry poly = SqlGeometry.STPolyFromText(new SqlChars(new SqlString(polygon)),0);
param.CommandText = "INSERT INTO Circle (Center_Point, Circle_Data) VALUES (@point,@poly);";
param.Parameters.Add(new SqlParameter("@point", SqlDbType.Udt));
param.Parameters.Add(new SqlParameter("@poly", SqlDbType.Udt));
param.Parameters["@point"].UdtTypeName = "geometry";
param.Parameters["@poly"].UdtTypeName = "geometry";
param.Parameters["@point"].Value = point;
param.Parameters["@poly"].Value = poly;
However, I realized that there might be a problem when creating the string polygon
.
in javascript - I create it like this:
var Circle_Data = "POLYGON ((";
for (var x = 0; x < pointsToSql.length; x++) { // formatting = 0 0, 150 0, 150 50 etc
if (x == 360) { Circle_Data += pointsToSql[x].lat.toString() + " " + pointsToSql[x].lng.toString() + "))"; }
else { Circle_Data += pointsToSql[x].lat.toString() + " " + pointsToSql[x].lng.toString() + ","; }
}
Then it is piped to C #. So is it safe? even if parameterization happened in the request?
+3
source to share
1 answer
With the parameter, you will be saved from SQL Injection, if any SQL is inserted into the string POLYGON
, it will result in an error at the end of SQL Server.
So, for example, if you have:
POLYGON(12.33 12.55,13.55; DROP TABLE students;)
SQL Server will try to build a geometry type based on the passed string, and it will fail.
+6
source to share