I need to make a CREATE CREDENTIAL statement in .NET with credential name, identity, and password passed in from a user interface. A naive implementation would look like this (please forgive the VB):
Dim cmd As SqlClient.SqlCommand = c.CreateCommand
cmd.CommandText = "CREATE CREDENTIAL [" & credentialName & "] WITH IDENTITY = N'" & identityName & "', SECRET = N'" & password & "'"
It works, but it’s vulnerable to SQL injections. I tried to use parameters like this:
cmd.CommandText = "CREATE CREDENTIAL [@CREDENTIALNAME] WITH IDENTITY = @IDENTITYNAME, SECRET = @PASSWORD"
cmd.Parameters.AddWithValue("@CREDENTIALNAME", "myCred")
cmd.Parameters.AddWithValue("@IDENTITYNAME", "Tyler")
cmd.Parameters.AddWithValue("@PASSWORD", "SecretPassword")
But I’m getting the error Incorrect syntax near ‘@IDENTITYNAME’. I’ve tried different combinations of brackets / no brackets, but nothing has worked.
CREATE CREDENTIALtakes a credential name, not a string or expression.You may want to explore the Credential.Create method.