infopth xml file transmision to sql server security

Question

0.00/5 (No votes)

See more:

, +

Suppose we have an app that gets N filled Infopath forms (xml file) from an external source and inserts them into corresponding tables on an SQL Server. Form fields are either simple strings or base64 strings (for images and attachments). These fields are used as insertion FunctionImports' parameters. I must add that a dbo user is used to work with SQL Server. Is there any serious external attack on our database?

my functionImports look like this:

C#

public static void Change ( string action,
                            string id,
                            string finalCode,
                            string nam,
                            string telephone,
                            string email,
                            byte[] pic,
                            string group34,
                            string field21,
                            string field22,
                            string field25,
                            string fileId,
                            string usr )
    {
    using ( appEntities appEntities = new appEntities ( Globals.EnityConn ) )
        {
        try
            {
            try
                {
                appEntities.spChange ( action,
                                       id,
                                       finalCode,
                                       nam,
                                       telephone,
                                       email,
                                       pic,
                                       group34,
                                       field21,
                                       field22,
                                       field25,
                                       fileId,
                                       usr );
                }
            catch (Exception exception)
                {
                throw exception;
                }
            finally
                {
                if ( appEntities.Connection.State == ConnectionState.Open )
                    {
                    appEntities.Connection.Close();
                    }
                }
            }
        catch (Exception exception)
            {
            throw exception;
            }
        }
    }

thanks

Posted 29-Apr-14 22:06pm

sh_ho121

Updated 30-Apr-14 3:41am

gggustafson

v3

Add a Solution

Comments

gggustafson 30-Apr-14 9:54am

What is the outermost try-catch for. It's not needed.

Break the habit of "using ( appEntities appEntities ...". Rather use a variable that has a different name from that of its type, like "using ( appEntities app_entities...".

If appEntities.spChange is an interface method to a stored procedure, that method should be parameterizing the values passed to it. This will help guard against "SQL injection" attacks.

See http://msdn.microsoft.com/en-us/library/yy6y35y8(v=vs.90).aspx

sh_ho121 3-May-14 6:26am

at first thank you guys all, so much for your help.
about outer-most try-catch you are right! It's emotional than logical. In fact it's a template that I put the call to spChange() in it.

Sorry about "using(appEntities appEntities..."! It's a typo occurred after code manipulation. It's correct syntax is "using(AppEntities appEntities..." (I'll apply this modification to the question)

spChange() is a function import of my database model in Entity Framework v4. and its auto-generated code is as below:
<pre>
public int spChange(global::System.String action, global::System.String id, global::System.String finalCode, global::System.String nam, global::System.String telephone, global::System.String email, global::System.Byte[] pic, global::System.String group34, global::System.String field21, global::System.String field22, global::System.String field25, global::System.String fileId, global::System.String usr)
{
ObjectParameter actionParameter;
if (action != null)
{
actionParameter = new ObjectParameter("Action", action);
}
else
{
actionParameter = new ObjectParameter("Action", typeof(global::System.String));
}

ObjectParameter idParameter;
if (id != null)
{
idParameter = new ObjectParameter("Id", id);
}
else
{
idParameter = new ObjectParameter("Id", typeof(global::System.String));
}

ObjectParameter finalCodeParameter;
if (finalCode != null)
{
finalCodeParameter = new ObjectParameter("FinalCode", finalCode);
}
else
{
finalCodeParameter = new ObjectParameter("FinalCode", typeof(global::System.String));
}

ObjectParameter namParameter;
if (nam != null)
{
namParameter = new ObjectParameter("Nam", nam);
}
else
{
namParameter = new ObjectParameter("Nam", typeof(global::System.String));
}

ObjectParameter telephoneParameter;
if (telephone != null)
{
telephoneParameter = new ObjectParameter("Telephone", telephone);
}
else
{
telephoneParameter = new ObjectParameter("Telephone", typeof(global::System.String));
}

ObjectParameter emailParameter;
if (email != null)
{
emailParameter = new ObjectParameter("Email", email);
}
else
{
emailParameter = new ObjectParameter("Email", typeof(global::System.String));
}

ObjectParameter picParameter;
if (pic != null)
{
picParameter = new ObjectParameter("Pic", pic);
}
else
{
picParameter = new ObjectParameter("Pic", typeof(global::System.Byte[]));
}

ObjectParameter group34Parameter;
if (group34 != null)
{
group34Parameter = new ObjectParameter("group34", group34);
}
else
{
group34Parameter = new ObjectParameter("group34", typeof(global::System.String));
}

ObjectParameter field21Parameter;
if (field21 != null)
{
field21Parameter = new ObjectParameter("field21", field21);
}
else
{
field21Parameter = new ObjectParameter("field21", typeof(global::System.String));
}

ObjectParameter field22Parameter;
if (field22 != null)
{
field22Parameter = new ObjectParameter("field22", field22);

smallprogrammers 3-May-14 0:25am

I agree with you

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

gggustafson · Accepted Answer · 2014-05-03T06:22:00

Some comments about your reply.

Please use some coding guidelines. I published some under the Code Project article "Minimalist Coding Guidelines". The areas that I think you should read are "Edge Detection" under "Indentation" and "Identifier Spelling".
Limit the length of your lines. Your declaration of spChange is more than 400 characters long. That is too long for anyone to comprehend. See my example below.
Don't use names that conflict with those already in the global namespace. See "Identifier Spelling" in "Minimalist Coding Guidelines". By so doing, "global::System.String" can be replaced by "string" and "global::System.Byte" by "byte", making your code more compact.
Don't use abbreviations even if to you their meanings are apparent. I am referring to "nam" and "usr" for which I see no advantage (other than obfuscation). If you are going to use abbreviations, follow the rules in "Minimalist Coding Guidelines".
When you supply code to Code Project, you do not need to supply every line. If a construct repeats, just show one or two followed by ellipses (I use two commented colons). That way the reader does not have go through each line.

C#

public int spChange ( string    action,
                      string    id,
                      string    final_code,
                      string    name,
                      string    telephone,
                      string    email,
                      byte [ ]  picture,
                      string    group34,
                      string    field21,
                      string    field22,
                      string    field25,
                      string    fileId,
                      string    user )
    {

    ObjectParameter action_parameter;
    if ( action != null )
        {
        action_parameter = new ObjectParameter ( "Action",
                                                 action );
        }
    else
        {
        action_parameter = new ObjectParameter (
                                        "Action",
                                        typeof ( string ) );
        }

    ObjectParameter id_parameter;
    if ( id != null )
        {
        id_parameter = new ObjectParameter ( "Id", id );
        }
    else
        {
        id_parameter = new ObjectParameter (
                                        "Id",
                                        typeof ( string ) );
        }
    // :
    // :
    }

I see no reason to be concerned with SQL injection. Your stored procedure interface seems secure.