1

I'm creating an app that has a text box where users can input a command to be run against a SQL Server instance. I've imported the System.Data.SqlClient object, and here's the code I have so far:

 Dim preSQLcmd As String = Me.txtPreSQL.Text
 Databasefn.preTestSQL(preSQLcmd)

Databasefn.preTestSQL looks like this:

Sub preTestSQL(cmd As SqlCommand)
    con = New SqlConnection("Data Source=" & utilnamespace.sqlSvr & ";Database=" & utilnamespace.testDbName & ";integrated security=SSPI;")
    cmd.Connection.Open()
    cmd.ExecuteNonQuery()
    cmd.Connection.Close()
End Sub

What am I missing here?

Improve this question
2
  • That does not sound safe. Delete From tableName oh, no more data! Commented Jan 8, 2014 at 20:29
  • For how this app is gonna be used, that's absolutely fine. It's part of a test system, where the database is going to be restored after the tests are run anyway. Commented Jan 8, 2014 at 20:31

1 Answer 1

Reset to default
3

Change your preTestSql to receive the string with the sql command text and then build the SqlCommand inside the procedure

Sub preTestSQL(cmdText As String)
    using con = New SqlConnection("Data Source=" & utilnamespace.sqlSvr & ";Database=" & utilnamespace.testDbName & ";integrated security=SSPI;")
    using cmd = new SqlCommand(cmdText, con)
         con.Connection.Open()
         cmd.ExecuteNonQuery()
    End Using
    End Using
End Sub

Said that I should ask. Are you sure that this is wise?.

A malicious user could easily destroy your whole database with a functionality like that.

Examples:

 UPDATE PayRoll SET WeekWage = 1000  -- (no where condition??)
 DELETE FROM Employee
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Yep, it's fine. This is an extremely limited use application that will only be used within our test system on a test database. The database is in no way production. I appreciate the thought though.
I'll definitely think about the security though, just in case it somehow gets leaked to someone outside the company, to make sure it can't be used to run something against some random db.
I'll definitely put thought into the security model around the app though. Thanks for asking, it's always good to revisit that stuff periodically.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.