This is a migrated thread and some comments may be shown as answers.

SQL Injection Vulnerability?

7 Answers 595 Views
Filter
This is a migrated thread and some comments may be shown as answers.
Chris
Top achievements
Rank 1
Chris asked on 15 Jul 2010, 06:13 AM
Correct me if I'm wrong, but It seems that using the RadFilterSqlQueryProvider to generate a SQL where clause, which is then used in a query that gets executed against your database, is extremely vulnerable to SQL injection attacks.  A user could type an entire SQL statement into a filter field editor, and the RadFilterSqlQueryProvider will simply inject that directly into the where clause verbatim.

If this is true, is there any way to protect against this? Is the only alternative to create your own QueryProvider to generate a parameterized query instead?

Thanks,

Chris

7 Answers, 1 is accepted

Sort by
0
Nikolay Rusev
Telerik team
answered on 15 Jul 2010, 12:26 PM
Hello Chris,

RadFilter does not directly apply the values from UI to DB. The values are firstly parsed to proper data type and secondly there are certain symbols that are escaped in order to prevent from SQL injections.

Regards,
Nikolay
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
0
Chris
Top achievements
Rank 1
answered on 18 Jul 2010, 07:55 AM
Thanks for the response.  It's good to know that RadFilter has measures to combat SQL injection when interacting directly with other controls like RadGrid.  However, I was more concerned about cases when you do want to leverage the generated SQL in your own code, which I assume is the whole point of RadFilterSqlQueryProvider as well as the other query provider variants. 

It would be nice to have an option to tell the RadFilterSqlQueryProvider to generate a parameterized query, which you could then use in conjunction with the actual values that you've stored seperately. Using the queries genered from these providers as-is is a huge security threat, because they do nothing to combat SQL injection.

Thanks!

Chris
0
Nikolay Rusev
Telerik team
answered on 22 Jul 2010, 07:36 AM
Hello Chris,

The main purpose of this providers is to be used against filterable controls/datasource controls(in .net 3.*/4.0), not to build any kind of SQL statements. 

You can build SQL on your own by iterating the expressions of RadFilter or by extending RadFilterSqlQueryProvider and overriding PrepareQuery( as argument this method receive the expressions for which SQL must be generated).

Greetings,
Nikolay
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
0
tiffany
Top achievements
Rank 1
answered on 11 Oct 2011, 01:27 PM
Hi,

Does RadGrid without using RadFilter also prevent SQL Injections Attack?

Thanks,
Tiffany
0
Radoslav
Telerik team
answered on 14 Oct 2011, 07:15 AM
Hi Tiffany,

The RadGrid does not directly inserts or updates values into the database. Depending on the used data binding inserted or updated values are passes to the database via Databound controls or manually by code into the code behind. In the first case to avoid the injections you need to populate the UpdateParameters and InsertParameters collections of the data source. Example of this approach you could find on the following link:
http://demos.telerik.com/aspnet-ajax/grid/examples/dataediting/alleditablecolumns/defaultcs.aspx
In this case the responsibility for inserting and updating values has a data bound control and it will parse and escape the values.

In the second approach the responsibility for preventing SQL injection has the developer. In this case the suggested approach is to use parameterized queries or a stored procedure.

Additionally please check out the following online example which demonstrates how to perform CRUD operation with the RadGrid:
http://demos.telerik.com/aspnet-ajax/grid/examples/dataediting/entityframeworkcrud/defaultcs.aspx
http://demos.telerik.com/aspnet-ajax/grid/examples/dataediting/programaticlinqupdates/defaultcs.aspx

I hope this helps.

Kind regards,
Radoslav
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now
0
DeveloperX
Top achievements
Rank 1
answered on 23 Mar 2012, 10:28 AM
How do we get what value they entered in the expression, when overriding PrepareQuery?
0
Radoslav
Telerik team
answered on 27 Mar 2012, 09:26 AM
Hi Tyrone,

You could get the entered values into the PrepareQuery by casting the expression parameter to IRadFilterValueExpression and using its Values property. Also you could get the entire where clause into the ProcessGroup method or into the RadFilter.ApplyExpressions event:
public class MyRadFilterSqlQueryProvider: RadFilterSqlQueryProvider
{
    public override void ProcessGroup(RadFilterGroupExpression rootGroup)
    {
        base.ProcessGroup(rootGroup);
        var whereClause = this.Result;
    }
 
    protected override string PrepareQuery(RadFilterNonGroupExpression expression)
    {
var values = ((IRadFilterValueExpression)expression).Values;
 
        return base.PrepareQuery(expression);
    }
}
protected void RadFilter1_ApplyExpressions(object sender, RadFilterApplyExpressionsEventArgs e)
  {
      MyRadFilterSqlQueryProvider provider = new MyRadFilterSqlQueryProvider();
      provider.ProcessGroup(e.ExpressionRoot);
      Log.Text = provider.Result;
  }

I hope this helps.

Kind regards,
Radoslav
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
Tags
Filter
Asked by
Chris
Top achievements
Rank 1
Answers by
Nikolay Rusev
Telerik team
Chris
Top achievements
Rank 1
tiffany
Top achievements
Rank 1
Radoslav
Telerik team
DeveloperX
Top achievements
Rank 1
Share this question
or