Home/ Questions/Q 9129249
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T07:42:09+00:00

In our DB access layer we have some dynamic query creation. For instance, we

  • 0

In our DB access layer we have some dynamic query creation. For instance, we have the following method for building a part of an ORDER BY clause:

protected string BuildSortString(string sortColumn, string sortDirection, string defaultColumn)
{
    if (String.IsNullOrEmpty(sortColumn))
    {
        return defaultColumn;
    }

    return String.Format("{0} {1}", sortColumn, sortDirection);
}

The problem is, sortColumn and sortDirection both come from outside as strings, so of course something should be done to prevent possible injection attacks. Does anybody have any idea how this can be done?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you have to deal in strings, then white-listing is your best bet. Firstly, sortDirection should be pretty trivial to white-list: a case-insensitive compare to "asc" / "desc" and you should be set. For the others, my preference would be to white-list to known columns, perhaps by passing in the expected Type for the data and validating. But at an absolute pinch, you could restrict with regex to (say) enforce they are all strictly alpha-numeric (in the a-z, A-Z, 0-9 range – maybe underscore if needed) – and then add [], i.e.

    return string.Format("[{0}] {1}", sortColumn, sortDirection);

    But: strict white-list of known columns would be much better, as would an enum for the direction.

    • 0