sql-serverperlsql-injectionaspdotnetstorefront

protect against sql injection when the sql is being transmitted via XML


This Raw SQL WSI API appears very powerful, but it also appears to be the only way to accomplish retrieving the id's of entities I need. I need to be able to, retrieve manufacturer by name for example (debating on whether there's a better way). On the assumption the best way is to send a query like this

'SELECT ManufactuerGUID FROM Manufacturer WHERE Name = ' . "$name"

which is a really bad idea and I hate myself for even writing that... but I'm not sure how best to sanitize it. usually the parameterization is done via the sql driver (AFAIK), the only thing I can think of... is could I perhaps get the final SQL string back from DBD::ODBC? Other suggestions welcome. Perhaps there is a sanitization library I could use?

To clarify, I have no actual control over ASP.net Storefront's API. the Manufacturer Name is the only parameter that comes from human input so I shouldn't have to worry about how I code the rest of it. Yes this API is an incredibly stupid idea, and it'd be great if they had given me a way to parameterize the query.


Solution

  • I found this documentation which suggests there is a QueryParams option.

    <query name="Entities" rowElementName="Entity"> 
    <sql> 
     <![CDATA[ 
      select Name,Description from {EntityName} with (NOLOCK) where {EntityName}ID=@EntityID 
    ]]> 
    </sql> 
    <querystringreplace replaceTag="{EntityName}" 
        replacetype="runtime" 
        replaceparamname="EntityName" 
        defvalue="" 
        validationpattern="(category)|(section)|(affiliate)|(manufacturer)|(distributor)|(library)" /> 
    <queryparam paramname="@EntityID" 
        paramtype="runtime" 
        requestparamname="EntityID" 
        sqlDataType="int" 
        defvalue="0" 
        validationpattern="" /> 
    </query> 
    

    I believe this is sufficient to prevent sql injection (though it'd be nice to have someone that knows the product confirm). Why this isn't mentioned at all in the main SQL interface documentation I'll never understand.