Is dataadapter. Update prone to SQL injection?

Question

0.00/5 (No votes)

See more:

I have the below code. Before doing the

dataAdapter.Update(dataset, " TableX ");
I add some rows to the datatable which have some columns nvarchar. Does this prone to Sql Injection
ds.tables[0].Rows["TableX"] = MALICIOUS SQL INJECTION ATTEMPT; // let's
say this is where the end user could slip malicious string he wanted
into

What I have tried:

using (var dataAdapter = new SqlDataAdapter(selectCommand))
using (var cmdBuilder = new SqlCommandBuilder(dataAdapter))
{
cmdBuilder.ConflictOption = ConflictOption.OverwriteChanges;

using (var dataset = new DataSet())
{
var stopwatch = new Stopwatch();

dataAdapter.UpdateBatchSize = 0;
dataAdapter.AcceptChangesDuringFill = false;
dataAdapter.AcceptChangesDuringUpdate = false;

stopwatch.Start();
dataAdapter.Fill(dataset, "TableX");
newrow contains some columns of type navrchar
ds.Tables["TableX"].Rows.Add(newRow);
dataset.AcceptChanges();

dataAdapter.Update(dataset, " TableX ");
}
}

Posted 31-Mar-16 1:13am

MYQueries1

Updated 31-Mar-16 1:54am

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2016-03-31T01:54:00

Solution 1

No. SQL Injection only happens when the command itself is "editable" by the user: i.e. when you concatenate strings to form the SQL command.
Provided your SELECT command contains no user input, you should be fine, as the CommandBuilder always uses parameterized queries when generating it's SELECT / UPDATE / INSERT commands. The values you send via the parameters are never parsed by SQL, so injection can't occur.

Posted 31-Mar-16 1:54am

OriginalGriff

Comments

OriginalGriff 31-Mar-16 12:35pm

An example of what?
You already have DataAdapter code...and you can't *want* and example of SQL Injection! :laugh:

MYQueries1 31-Mar-16 13:18pm

I want how CommandBuilder preapres the update commands internally

OriginalGriff 31-Mar-16 14:00pm

Then it's time for some reading! :laugh:

http://referencesource.microsoft.com/