[Security] Always use parameterized queries

Posted 2020-11-22 answer1215

SQL databases are commonly used to store data; for example - your application could store user profile information in a database. Yous should never create inline SQL or other database queries in your code using raw user input and send it directly to the database; this behavior is a recipe for disaster, as we saw above.

For example - do not create code like the following inline SQL example:

string userName = Request.QueryString["username"]; // receive input from the user BEWARE!
...
string query = "SELECT *  FROM  [dbo].[users] WHERE userName = ‘" + userName + "‘";

Here we concatenate text strings together to create the query, taking the input from the user and generating a dynamic SQL query to look up the user. Again, if a malicious user realized we were doing this, or just tried different input styles to see if there was a vulnerability, we could end up with a major disaster. Instead, use parameterized SQL statements or stored procedures such as this:

-- Lookup a user
CREATE PROCEDURE sp_findUser
(
@UserName varchar(50)
)

SELECT *  FROM  [dbo].[users] WHERE userName = @UserName

With this method you can invoke the procedure from your code safely, passing it the userName string without worrying about it being treated as part of the SQL statement.