In ADO.NET, are there restrictions where SQL parameters can be used in the SQL query?

Question

This question is merely for educational purposes, as I\'m not currently building any application that builds SQL queries with user input.

That said, I know that in ADO.N

Answer 1

No, a query parameter can substitue for one scalar value in your SQL statement.
For example, a single string literal, a date literal, or a numeric literal.

It doesn't have to be in the WHERE clause. Anywhere you can have an expression in SQL, you can include a scalar value, and therefore a parameter. For example, in join conditions, or in the select-list, or in ORDER BY or GROUP BY clauses.

You cannot use query parameters for:

• Table identifiers
• Column identifiers
• SQL keywords
• SQL expressions
• Lists of values (for example in an IN() predicate)

If you need to make any of these parts of your query user-definable, then you need to build the SQL query string by interpolating or concatenating application variables into the string. This makes it difficult to defend against SQL injection.

The best defense in that case is to whitelist specific values that are safe to interpolate into your SQL string, for instance a set of table names that you define in your code. Let the user choose a table from these pre-approved values, but don't use their input verbatim in SQL code that you then execute.

User input may provide values, but should never provide code.

You may find my presentation SQL Injection Myths and Fallacies helpful. I cover whitelisting in that presentation (my examples are in PHP, but the idea applies to any programming language).