3 Replies - 1550 Views - Last Post: 27 July 2012 - 03:03 PM Rate Topic: -----

#1 CasiOo  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1277
  • View blog
  • Posts: 2,846
  • Joined: 05-April 11

MySQL & SqlDataSource - injection?

Posted 27 July 2012 - 09:13 AM

I am using my SqlDataSource to execute queries against my MySQL database.
Will it be possible to do SQL injection when I add parameters like below? I am unsure because I never specify a DbType of the parameter (because I need MySQL types)

            SqlDataSource.SelectCommand = "SELECT id, name, thumbnail FROM dishes WHERE foodCategoryID=?";
            Parameter parameter = new Parameter();
            parameter.DefaultValue = "1"; //This value will come from the query string when made correctly
            SqlDataSource.SelectParameters.Add(parameter);
            CatalogListView.DataBind();


This post has been edited by CasiOo: 27 July 2012 - 09:13 AM


Is This A Good Question/Topic? 0
  • +

Replies To: MySQL & SqlDataSource - injection?

#2 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 8392
  • View blog
  • Posts: 31,200
  • Joined: 12-June 08

Re: MySQL & SqlDataSource - injection?

Posted 27 July 2012 - 10:27 AM

Quote

Use type-safe SQL parameters for data access. You can use these parameters with stored procedures or dynamically constructed SQL command strings. Parameter collections such as SqlParameterCollection provide type checking and length validation. If you use a parameters collection, input is treated as a literal value, and SQL Server does not treat it as executable code. An additional benefit of using a parameters collection is that you can enforce type and length checks. Values outside of the range trigger an exception. This is a good example of defense in depth.

http://msdn.microsof...y/ff648339.aspx

MS prefers you specify the datatype.. you should be able to do that and be fine..
Was This Post Helpful? 1
  • +
  • -

#3 CasiOo  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1277
  • View blog
  • Posts: 2,846
  • Joined: 05-April 11

Re: MySQL & SqlDataSource - injection?

Posted 27 July 2012 - 02:21 PM

I tried specifying a datatype before but I got an error saying wrong odbc type. I thought it was cause of MySQL datatypes.

Now I tried again and it worked.... guess I just entered the wrong one ^^

thanks

Edit:
Yeah I think I used uint for: foodCategoryID INTEGER UNSIGNED NOT NULL
It should have been Int64

This post has been edited by CasiOo: 27 July 2012 - 02:27 PM

Was This Post Helpful? 0
  • +
  • -

#4 Nakor  Icon User is offline

  • Professional Lurker
  • member icon

Reputation: 441
  • View blog
  • Posts: 1,488
  • Joined: 28-April 09

Re: MySQL & SqlDataSource - injection?

Posted 27 July 2012 - 03:03 PM

here is a MySQL connector for .net. it includes a mysqldatasource if I remember right. If not it still makes working with MySQL in your code pretty simple.

Here's the documentation page for it

This post has been edited by Nakor: 27 July 2012 - 03:09 PM

Was This Post Helpful? 1
  • +
  • -

Page 1 of 1