Does using parameterized SqlCommand make my program immune to SQL injection?

by

I’d say for your particular, and probably canonical, example for parametrized queries, yes it is sufficient.

However, people sometimes write code like this

cmd.CommandText = string.Format("SELECT * FROM {0} WHERE col = @col;", tableName);
cmd.Parameters.Add("@col", ...);

because there is simply no way to pass the tablename itself as a parameter and the desire to do exists sometimes – misguided or not. It seems it is then often overlooked, that tableName (unless maybe only read from a set of static/constant values that do not derive from any input) indeed allows for SQL injection.

More Related Contents:

  1. What are good ways to prevent SQL injection? [duplicate]
  2. How can I add user-supplied input to an SQL statement?
  3. How do parameterized queries help against SQL injection?
  4. What is the syntax for an inner join in LINQ to SQL?
  5. Why is JsonRequestBehavior needed?
  6. Requested registry access is not allowed
  7. Is it necessary to manually close and dispose of SqlDataReader?
  8. How to prevent a SQL Injection escaping strings
  9. DropdownList DataSource
  10. Executing query with parameters
  11. Best way to store encryption keys in .NET C#
  12. C# Version Of SQL LIKE
  13. Use linq to generate direct update without select
  14. Retrieve an object from entityframework without ONE field
  15. Join and Include in Entity Framework
  16. Why is a SQL float different from a C# float
  17. Table name and table field on SqlParameter C#?
  18. How can I avoid SQL injection attacks in my ASP.NET application?
  19. How to convert SecureString to System.String?
  20. How do I re-write a SQL query as a parameterized query?
  21. Get affected rows on ExecuteNonQuery
  22. Sql Bulk Copy/Insert in C#
  23. Check if a SQL table exists
  24. Issues Doing a String Comparison in LINQ
  25. Use SQL Server time datatype in C#.NET application?
  26. Generating sql code programmatically
  27. Shredding files in .NET
  28. Do we have transactions in MS-Access?
  29. Is SqlConnection.Close() need inside a Using statement?
  30. Best way to restrict access by IP address?

Leave a Comment