Prevent SQL Injection with Spark 4.5
Refer to the code in Core.cs line 312. Could there be a potential security vulnerability with the raw SQL statement supplied? Other than supply data through Parameters, are there anyway to further reduce the risk of SQL injection with raw SQL statement?
Jason C, Dec 30, 2013
The CreateCommand method you refer to is a private helper which cannot be called directly. It accepts a parameterized SQL statement and parameters which are used to setup parameterized queries. There is no vulnerability.
All SQL in Spark consists of parameterized queries (also called prepared statements) which is the most important way for .NET developers to prevent SQL Injection.
However, parameterizing your queries is not the only tool available in our toolbox. In general it is good practice to have additional safeguards, by using whitelists, blacklists, regular expressions, etc -- essentially all user entries are checked and validated before they get sent down to be used as parameters or to setup SQL.
Hope this helps.
Jack Poorte, Dec 30, 2013
Volkan, sorry for the long delay in the response, but I'm sure you must have figured it out by now. Are you talking about Serialization and De-serialization from the xml to an unknown class? You can do this but you must have an existing class that represents the Xml so the serializer will know how to deserialize the xml to a class. I hope this helps.
Oct 23, 2012
Hi King, Thanks for your answer. I want to create above Membership xml with composite pattern and after that i want to create my custom Membership Class by using that Xml .
Sep 06, 2012