log4net log to database...open to sql injection

Question

Is there an accepted way to both use the log4net ado provider and guard against SQL injection? I can do my own hand rolled scrubbing methods, but that strikes me as risky.

Is there some kind of "DontLetPeopleOwnMyDatabase" = true setting?

our current dangerous config:

<appender name="ADONetAppender" type="log4net.Appender.ADONetAppender">
  <threshold value="ERROR"/>
  <bufferSize value="1"/>
  <connectionType value="System.Data.SqlClient.SqlConnection, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  <connectionString value="server=myDBServer; uid=myuserName; pwd=myPassword; database=myDatabase"/>
  <commandText value="INSERT INTO errorlog([message], [ServerName], [ApplicationName]) VALUES(@message, 'myServer', 'myApp')" />
  <parameter>

    <parameterName value="@message"/>

    <dbType value="String"/>

    <size value="4000"/>

    <layout type="log4net.Layout.PatternLayout">
      <conversionPattern value="%message"/>
    </layout>

  </parameter>
</appender>

Answer 1

Maybe I'm wrong, but you are already using parameters, so there is no risk of SQL injection. @message is passed as a separate SQL parameter by log4net, not through string concatenation.

But if you are that afraid about SQL injection, how about using a stored procedure...?

Edit Fear no more, dear OP. Here is the missing proof that the log4net logging mechanism is safe against SQL injection:

Records are written into the database either using a prepared statement or a stored procedure. The CommandType property is set to Text (System.Data.CommandType.Text) to specify a prepared statement or to StoredProcedure (System.Data.CommandType.StoredProcedure) to specify a stored procedure.

So, prepared -> pre-compiled -> safe parameter assignment.

If you need more info, you may find it here.