SQL Injection Attack Prevention

Wed, 26 Feb 2020 22:30:28 -0800 

Hi Is this code safe from SQL Injection Attacks? 

# Main Program (magic.nim)
    
    
    include magiclib
    include magicInjectSafe
    
    #[ Declare objects and parameters ]#
    var
        connectionEngine: ConnectionEngine
        resultEngine: ResultEngine
        script: string
    
    #[ instantiate new instances ]#
    new (connectionEngine)
    new (resultEngine)
    
    #[ prepare a SQL script ]#
    script = (string)("SELECT TOP 100 * FROM $1 (NOLOCK) WHERE EffectivePeriod 
>= $2".SQL % ["dbo.DimContract","201901"])
    
    #[ start connection manager and open a database connection ]#
    connectionEngine.start()
    
    #[ execute a sql query and return the result s]#
    var results = resultEngine.getResult(connectionEngine, script)
    
    #[ echo the results to a termminal ]#
    echo results
    
    
    Run

# magicInjectSafe.nim
    
    
    import strutils, sequtils
    
    type
        SQL = distinct string
    
    proc properQuote(s: string): SQL =
        return SQL(s)
    
    proc `%` (frmt: SQL, values: openarray[string]): SQL =
        let v = values.mapIt(properQuote(it))
        type StrSeq = seq[string]
        result = SQL(string(frmt) % StrSeq(v))
    
    
    Run

# magiclib.nim
    
    
    import odbc
    
    #[ ConnectionEngine ]#
    type ConnectionEngine = ref object of RootObj
        database: string
        connection: ODBCConnection
    method start(self: ConnectionEngine) {.base.} =
        self.connection = newODBCConnection()
        let c = self.connection
        c.driver = "ODBC Driver 17 for SQL Server"
        c.host = "magic"
        c.port = 1410
        c.database = "DataWarehouse"
        c.integratedSecurity = false
        c.userName = "sa"
        c.password = "Admin3970#xx"
        c.authenticationType = "Plain"
        c.connectionType = "Direct"
        if not self.connection.connect:
            echo "Could not connect to database."
    
    #[ ResultEngine ]#
    type ResultEngine = ref object of RootObj
        query: SQLQuery
    method getResult(self: ResultEngine, connectionEngine: ConnectionEngine, 
script: string): SQLResults {.base.} =
        self.query = newQuery(connectionEngine.connection)
        self.query.statement = script
        self.query.open
        echo script
        return self.query.fetch
    
    
    Run

Reply via email to