I've seen quite a few posts on this, many come to the same conclusion that using a (possibly length) switch statement is the best way to protect against your SQL query being injected with unwanted statements.

If your primary goal is to prevent SQL Injection, then you might consider simply using the List Function to strip the first word from a user specified parameter.

Example:

SELECT field1, field2
FROM mytable
ORDER BY #ListFirst(url.sort, " ")#

I have not gone through all of the possibilities on this one, so if someone sees a way that the above statement might still allow SQL Injections, please comment.

Of course, a malicious user would be able to inject a one word statement into the order by clause, but I have difficulty seeing what harm that can cause.

Tags:

1 Comment

  1. To modify the approach a bit for Limits and Offsets, since they are both integers, we can use the Val() function to protect these arguments, i.e.

    SELECT field1, field2
    FROM mytable
    LIMIT #Val(url.offset)#, #Val(url.limit)#

Leave a Reply

Your email address will not be published. Required fields are marked *