So I have a program that does more or less this:
read list of element attributes from XML with structure like <tag dbfield="@column">data</tag>
element names correspond to columns in SQL database
generate data and add it to dict with the structure like {tag.attribute("dbfield").value, tag.value}
add dict items it to database using AddWithValue(tag.attribute("dbfield").Value, tag.Value
and stored procedure in database.
4th step is the most tricky. I’d like to decouple the database structure from the code, i.e. to be able to plug the new XML with different structure, and use another stored procedure, without the need to rewrite half of the functions. I’d like to not have to use the column names in code, but read them from file, but I’m afraid this will be a security issue – even though I’ll be the only one who edits the XML files.
Now, I see the following possibilities:
Screw security – use the “dbfield
” attribute in XML (e.g. <tag dbfield="@column">data</tag>
) and generate AddWithValue(tag.attribute("dbfield").Value, tag.Value)
– the potentially insecure part is that there’s nothing that stops attacker to use Bobby Table’s name as dbfield – tag.value is secure-ish, as it’s parametrized,
Screw decoupling – hard code the column names in the code,
Something I’m missing – but I’m not sure if there are other options.
I know that I could also sanitize the shit out of the file, but it’s still not the peak of security, so y’know…
Any tips appreciated, and if that changes anything I’d like to not use Entity Framework for this.
How dynamic are the column names? Certainly not completely as they need to exist in the table.
C# devs
null reference exceptions