Sql injection attacks possible using resource(.resx) file

Question

0.00/5 (No votes)

See more:

Hi Friends,

In my project, I have maintained all SQL query in resource (.resx) file.

my doubt is:
- Sql injection attacks possible using resource(.resx) file.
- If sql injection is possible then how and where to maintain all sql queries.

Please let me know best solution for the above mentioned problem.

Thanks,
Shanmuga Raja

What I have tried:

unable to find the right suggestion for my doubts

Posted 19-Oct-18 9:27am

shanmugarajaa

Updated 19-Mar-22 8:12am

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Dave Kreskowiak · Answer 1 · 2018-10-19T09:58:00

Solution 1

It has nothing to do with where the queries are stored. It's how the queries are filled with data to modify the query. Say you have a query that accepts a value for a WHERE clause. If you're not preparing the query for execution properly, you're exposing code to exploitation.

Posted 19-Oct-18 9:58am

Dave Kreskowiak

Comments

[no name] 19-Oct-18 16:32pm

I don't think it is possible to prevent from manipulating the resource data and then even the code is proper implemented using Parameters, you can always manipulate the ressource and add malicious SQL Statements. But that is really a very theoretical Scenario. Maybe I'm wrong, but I don't think so

Dave Kreskowiak 19-Oct-18 21:28pm

It's possible to do, but difficult.

Afzaal Ahmad Zeeshan · Answer 2 · 2018-10-19T10:19:00

Quote:
Sql injection attacks possible using resource(.resx) file.

SQL Injection is made possible when your queries are exposed to the code injection. It doesn't matter how you store the queries, rather how they execute. It is of no benefit if you store and load the SQL queries from a file, or even from a network, or store them in resource files, or in-memory, if the query is exposed to injection, it will be injected with code.

Think of the code, if you are concatenating the strings, like,

SQL

var query = "SELECT * FROM table_name WHERE primary_column = '" + variable + "';

It will not matter whether this query comes from a resource, network, or is hardcoded inside the program. You need to change this query, to prevent the injection.

Quote:
If sql injection is possible then how and where to maintain all sql queries.

You need to write the queries in a secure manner, such as use of parameters is encouraged. You should also consider, whether the user is able to modify any of these queries or not. Your program should take care of the queries that it executes.

Although every engine has its own security loopholes, you can search for an instance based documentation and recommendation on Google quite easily, but I would recommend you start from here, SQL Injection | Microsoft Docs[^].