This SQL query is injection safe

Question

This SQL query is injection safe

I think the starting code is ok:

SqlCommand param = new SqlCommand();
SqlGeometry point = SqlGeometry.Point(center_lat,center_lng,0);
SqlGeometry poly = SqlGeometry.STPolyFromText(new SqlChars(new SqlString(polygon)),0);
param.CommandText = "INSERT INTO Circle (Center_Point, Circle_Data) VALUES (@point,@poly);";
param.Parameters.Add(new SqlParameter("@point", SqlDbType.Udt));
param.Parameters.Add(new SqlParameter("@poly", SqlDbType.Udt));
param.Parameters["@point"].UdtTypeName = "geometry";
param.Parameters["@poly"].UdtTypeName = "geometry";
param.Parameters["@point"].Value = point;
param.Parameters["@poly"].Value = poly;

However, I realized that there might be a problem when creating the string polygon

.

in javascript - I create it like this:

var Circle_Data = "POLYGON ((";
for (var x = 0; x < pointsToSql.length; x++) { // formatting = 0 0, 150 0, 150 50 etc
    if (x == 360) { Circle_Data += pointsToSql[x].lat.toString() + " " + pointsToSql[x].lng.toString() + "))"; }
    else { Circle_Data += pointsToSql[x].lat.toString() + " " + pointsToSql[x].lng.toString() + ","; }
}

Then it is piped to C #. So is it safe? even if parameterization happened in the request?

+3

c # sql sql-injection asp.net

SammyG 08 june 15 at 14:33

source to share

1 answer

Habib · Accepted Answer · 2015-06-08T14:35:32+0000

With the parameter, you will be saved from SQL Injection, if any SQL is inserted into the string POLYGON

, it will result in an error at the end of SQL Server.

So, for example, if you have:

POLYGON(12.33 12.55,13.55; DROP TABLE students;)

SQL Server will try to build a geometry type based on the passed string, and it will fail.

This SQL query is injection safe

More articles: