Home/ Questions/Q 7079879
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T06:43:34+00:00

I usually use sql parameters with queries, but in this case I need to

  • 0

I usually use sql parameters with queries, but in this case I need to dynamically create more than just the parameters.

Could someone use injection on any of the variables? Aside from a stored procedure is there a simple way to protect against injection via code?

string whereClause = "WHERE " + filter.ToString() + " > " + nextStartPoint;
string orderBy = "ORDER BY " + filter.ToString() + " DESC";

ex

string sql = "SELECT TOP(" + numItemsToGet + ") * " +
                                 "FROM Items " +
                                  whereClause + " " +
                                  orderBy;

Update

filter.ToString() is the actual column name

I’m surprised the following worked (partial ex)… I also thought you have to reference a column name with sql parameters.

cmd.Parameters.AddWithValue("Count", 10);

                    string sql = "SELECT TOP(@Count) * " +
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes this is definitely subject to injection. If the user controls the filter parameter then it’s very easy for them to inject bad SQL into your statement.

    The simplest way to prevent an injection attack is to use SqlCommand to build up your command. It’s designed to help prevent such attacks and will take the appropriate steps to protect your input

    • 0