For internal security training of SDX developers I’m currently preparing a really small web-application with different vulnerabilities. The goal is to have an application that does have all of the OWASP Top 10, so that I can use it to make my colleagues search them and discuss mitigations.
One of the problems I want to include is of course SQL injection. Since my favorite way of accessing data is the DAAB of the Enterprise Library, I did use it in this project, too. When I came to SQL injection, I realized that I cannot use SPROCs as usual, but need to include the SQL statements into my code – using SPROCs does usually include the usage of SQL parameters, which does protect you (as long as you don’t construct SQL manually inside the SPROC) from injections issues.
This way I came across the issue of using parameters with SQL statements in DAAB. This is not really an “issue” as long as you accept to create a command object, then use the database object to add the parameters (one line of code per parameter) and finally execute the command to get the result. But I don’t like to repeat such steps and I wanted to use something more “elegant”, so I wrote a little extension method for the Database object of EntLib:
As you can see it inspects a value of type “object” in order to use its properties to build up the parameters. This way you can use anonymous types to pass the parameters to the SQL statement:
I don’t think this is a really new invention, but it may be useful for you, so I want to share it.
Be aware that this code is far from being perfect: currently there’s no error handling, no input validation to guide the developer, it only handles strings, integers and GUIDs, etc., so you might not use it “as is” in production code. But since I did not find an example how to do this with Google, it might be the code snippet giving you an idea on how to keep your application code even smaller.