SQL Assemblies and SQL Injections

Question

I have a couple of SQL CLR projects that are added into my SQL Server 2005 as assemblies. They are accessed from my web app via stored procedures that fire off the assemblies.

How and what are best practices for preventing SQL injections in my SQL assemblies?

The assemblies have a bunch of code that builds crazy SQL statements (example):

        sqlBuff.Append("SELECT ");
        //  Always put replicate weight values on the first.
        sqlBuff.Append(colBuff.ToString());

        sqlBuff.AppendLine(" FROM ");
        String tableNames = colTabNameHelper.GetTableNameList(colNames);
        String joinStr = colTabNameHelper.CreateJoinStr(tableNames);

        sqlBuff.Append(joinStr);
        sqlBuff.AppendLine(" WHERE (");

        sqlBuff.Append(inMatrix.WeightVar);

Can I prevent injections here too? Or does .NET/SQL Server help? Should I worry about this?

Answer 1

The definitive way of avoiding injection attacks is to use Parameters. Are you able to use these in the embedded assemblies?