Small background: I’m the only programmer for this company. I’m working with pre-existing frameworks.
That said, the company has a dll(Database.dll) which contains “all the database interactions I need”. As in, it has a Query(), Update(), Insert(), etc. Now, the project I’m writing sets a reference to Database.dll. My project accepts zero user input. The closest thing to user input is a dropdown box that the user can select a date from. Not having much experience with it, I’m curious if I still need to worry about SQL injections? And if so, would a query written like
var query = string.Format("SELECT timestamp FROM table1 WHERE date = \"{0}\"
AND measured_dist = bit_loc AND rop > 0" , Date))
be sufficient as a parameterized query? Keep in mind, all of the query execution is handled by the pre-existing Query() that I’m told I have to use, and can’t edit.
EDIT
This program is a WinForm application.
As noted in comments, the answer is “always”. Since it would be so easy to add a parameter to that and do it properly, rather than concatenation: just do it right first time. Also: have you considered that injection is not the only problem in the code you’ve shown? That code is also susceptible to localisation / internationalisation. What happens for a user who has their PC configured in a different culture? The dates and numbers will get rendered differently – and will often break. That doesn’t happen with parameters. Also: names often have apostrophes in 🙂