Skip to main content

SQL injection in Windows Services? [Resolved]

I have many Windows services which run on the server side only. It performs few CRUD operations on a database (MySQL).

There is a client application which allows a user to upload files through it to the server. When the file gets uploaded to the server, Window Service performs required operations on this file and update the details in Database through SQL queries.

Client App(Desktop App) -> File -> Upload on Server -> Window Service Process File -> Database Entry

I was wondering if such kind of architecture really requires parameterized query to prevent SQL injection?

Question Credit: Arpit Gupta
Question Reference
Asked March 25, 2019
Posted Under: Security
1 Answers

Parameterized queries are a good idea in almost every case.

All it takes is one mistake in the service which processes the uploaded file and you could have SQL injection issues.

Security is about defense in depth, meaning you use several layers of security in case there's a hole in another part of your system. I would recommend following best practices for SQL queries. In the end it's not strictly required, but it would present an unnecessary risk considering how little effort it takes to parameterize queries.

It can also improve code readability by eliminating the constant opening, closing, and appending of strings where it's easy to miss quotes for a string type parameter.

credit: Daisetsu
Answered March 25, 2019
Your Answer