How vulnerable is the this dynamically created sql?

Question

I can find so much information on the web about the proper and safe way of dynamically creating parameterized queries. However such websites only talk about parameterization of the where clause.

Well, what about the other clauses of a sql statement? See the following:

       string sql = string.Format(@"                
            SELECT MIN(TableName) as TableName, {0}
            FROM
            (
              SELECT 'Table A' as TableName, {0}
              FROM {1}
              UNION ALL
              SELECT 'Table B' as TableName, {0}
              FROM {2}
            ) tmp
            GROUP BY {0}
            HAVING COUNT(*) = 1", columnList, tableA, tableB);

I'm constructing a statement whereby the following has been parameterized:

The items in the select clause
The tablename in the from clause

Question: How vulnerable is this to sql injection that can cause some damage?

I can't think of anyway a malicious hacker could inject sql that will result in properly formed, executable sql. But then again, I'm not an sql expert.

Svek · Accepted Answer

As @Andrew states in his answer, if the parameter(s) are not impacted by any user input, or otherwise gets validated/cleaned it should be fine.

To answer your point about a possible properly formed SQL statement... The only areas that draw concern are potential escaped characters (such as a semi-colon, that can technically be placed anywhere in the command block) and/or something well-formed at the {1} and {2} sections of the statement.

How vulnerable is the this dynamically created sql?

Answers (2)

Related Questions