Is there an accepted way to both use the log4net ado provider and guard against SQL injection? I can do my own hand rolled scrubbing methods, but that strikes me as risky.
Is there some kind of “DontLetPeopleOwnMyDatabase” = true setting?
our current dangerous config:
<appender name="ADONetAppender" type="log4net.Appender.ADONetAppender">
<threshold value="ERROR"/>
<bufferSize value="1"/>
<connectionType value="System.Data.SqlClient.SqlConnection, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<connectionString value="server=myDBServer; uid=myuserName; pwd=myPassword; database=myDatabase"/>
<commandText value="INSERT INTO errorlog([message], [ServerName], [ApplicationName]) VALUES(@message, 'myServer', 'myApp')" />
<parameter>
<parameterName value="@message"/>
<dbType value="String"/>
<size value="4000"/>
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%message"/>
</layout>
</parameter>
</appender>
Maybe I’m wrong, but you are already using parameters, so there is no risk of SQL injection.
@messageis passed as a separate SQL parameter by log4net, not through string concatenation.But if you are that afraid about SQL injection, how about using a stored procedure…?
Edit Fear no more, dear OP. Here is the missing proof that the log4net logging mechanism is safe against SQL injection:
So, prepared -> pre-compiled -> safe parameter assignment.
If you need more info, you may find it here.