Curly Braces in sql statement WHERE clause

Question

0.00/5 (No votes)

See more:

Can someone explain the use of the curly braces in the WHERE clause in the example below.

SELECT c.EmployeeID, c.FirstName, c.EmployeeName, c.EmploymentStatus
FROM CurrentRecord c
WHERE {0} = '{1}'

Posted 13-Apr-15 5:25am

Member 11492541

Add a Solution

Comments

Sergey Alexandrovich Kryukov 13-Apr-15 15:19pm

Are you using ADO.NET? Your formatting attempt suggests that it is likely.
—SA

2 solutions

Solution 2

Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327.

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

—SA

Posted 13-Apr-15 9:11am

Sergey Alexandrovich Kryukov

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

ZurdoDev · Accepted Answer · 2015-04-13T05:39:00

Solution 1

That is not valid SQL. You are likely only seeing a part of C# code. {0} and {1} are placeholders in C# and often used with String.Format.

C# is likely dumping values into those placeholders.

Posted 13-Apr-15 5:39am

ZurdoDev

Comments

Richard Deeming 13-Apr-15 11:59am

The C# code is also likely to be vulnerable to SQL Injection[^].

ZurdoDev 13-Apr-15 12:09pm

Unless it is sanitized somehow, you are correct.

Sergey Alexandrovich Kryukov 13-Apr-15 15:12pm

Sanitizing is not a very good idea. Real mitigation of SQL injection should be based on parametrized statements. Please see my answer I added.
—SA

ZurdoDev 13-Apr-15 15:14pm

It all depends. Sometimes you have no choice.

However, OP did not write the code so although it is good to explain SQL injection, that doesn't help the user with their original question.

Sergey Alexandrovich Kryukov 13-Apr-15 15:16pm

True, but I think it's still useful, as this is a bad mistake many make.
It is very likely that the intention was to use string.Format to compose the query, which would create this vulnerability. So, in this case, "no choice" is unlikely the case.
The real problem is worse: the question suggests that the inquirer doesn't really understand how SQL works here with the host application, which is quite likely a .NET one.
I asked the inquirer appropriate question in my comment to the question.
—SA

Sergey Alexandrovich Kryukov 13-Apr-15 15:12pm

Good catch, a 5.
—SA