Do I need to do anything in order to prevent inserts/updates/deletes/injection attacks when I'm using the following code?
public static DataSet getReportDataSet(string sqlSelectStatement)
{
SqlDataAdapter da = new SqlDataAdapter(sqlSelectStatement, new SqlConnection(GlobalVars.ConnectionString));
DataSet reportData = new DataSet();
da.Fill(reportData, "reportData");
return reportData;
}
The idea behind this is that I'll be extracting the sql from a series of Crystal Reports, pulling the data for each report from the MS SQL Server, binding the data to the reports and then exporting the filled reports to PDF.
I know that you can use the built in functionality to get the reports to pull their own data, but my tests have shown that pushing the data to the reports is a whole bunch faster. My only issue with this is that I have no control over the reports that will be ran.
People will be required to provide their own login credentials for the SQL Server, so they will only be able to see data from the databases that they have permissions to... but some of the users have write permissions, and I'm worried that blindly running an sql string pulled from a Crystal Report could potentially allow for an insert/update/delete/injection attack...
I think that I might be worrying for nothing, but I can't find anything that outright states if this could be used for things aside from selects.
Edit:
So from the initial comments, I think that I do have to worry about SQL statements aside from SELECTs. So my question now becomes; is there some whay to specify that an SqlConnection can only be used for 'reads' (i.e. Selects).
In general I would say: Yes, you have to.
But maybe Crystal Reports quotes the SQL-String already. Try an "attack" by yourself and see what sqlSelectStatement contains.