Prevent SQL Injection in Dynamic column names Prevent SQL Injection in Dynamic column names postgresql postgresql

Prevent SQL Injection in Dynamic column names


.net sql vb.net postgresql sql-injection

You can get the column names from the database and compare to check the user has entered a valid column name.

.net sql vb.net postgresql sql-injection

SQL Injection happens because user entered data is used in a dynamic query, without paramerterizing it. Unfortunately, in your case the user entered data can not be paramertized, the solution is to not let the user enter that data.

A possible workaround would be to use a whitelist (not BLACKlist) of acceptable characters. But really, you should see about obtaining a list of fieldNames and verifying the users input (and then use YOUR version of the string, not the one that came from the user).

User entered data is always suspect, and should be avoided if at all possible.

.net sql vb.net postgresql sql-injection

One thing you could do is go ahead and create your dynamic query but put something like this as a prefix:

"IF EXISTS(SELECT * FROM sys.columns where object_id=OBJECT_ID('mytable') and name = @dynamicName)    SELECT * FROM mytable WHERE [" + dynamicName + "] = 'Whatever your test is.'"

Yeah, it makes the query a little more expensive, but it is protected against injection.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last