Can I get SQL injection attack from SELECT statement?
To answer your questions.
A: Yes, you can get an SQL Injection attack from any query that takes parameters (even calling stored procedures if you are not using the provided methods by your platform and doing it via SQL calls).
I was asked to provide an example of how an injection can be made even by using stored procedure. I've seen applications developed that do use stored procedures, but in this way:
// C# - DON'T DO THIS!String regionName = assignedSomewhereElse();SQLCommand sqlCmd = DatabaseConnection.CreateCommand();SQLCommand sqlCmd.CommandText = String.Format("EXECUTE sp_InsertNewRegion '{0}'", regionName);sqlCmd.ExecuteNonQuery();Obviously, this is not the way to call a stored procedure. You should use your platform's abstractions or parametrized queries.
B: SQLDataSource is an abstraction layer for your database. It will create the SQL queries for you and automatically sanitize them in order to prevent injection.
In order to avoid injection, either:
- Sanitize your inputs
- Use the abstraction layer provided by your platform.
- Use parametrized queries.
You can get an SQL injection attack anytime that you are not using parameterized queries, for the most part.
If your example,
SELECT * from MyTablethere isn't any user-inputted data, so that should be fine. However, something like:
SELECT * from MyTable WHERE name='x'(x being a parameter) then there's a chance that someone injects some SQL into their name.
B: ASP.NET uses parameterized queries because it builds the query based on the parameters that you provide programmatically.
Injection hacks occur when you give the user the ability to manipulate the query, and with the parametrized queries most (if not all) threats are neutralized as special characters are escaped to make only the query you intended executable
Example:
Search Box: [ ] [ GO ]
select * from myTable where keywords like '%$searchTerm%'Then the hacker inserts a '; to terminate the query and can write any other query they want.