Does stored procedure allow to learn table column names in the database from .NET code

  • Thread starter Thread starter IlhaBaba
  • Start date Start date
I

IlhaBaba

Guest
I have a .NET console application that communicates with a database via parameterized stored procedures.

Both application and the database are in-house, located within the same Intranet.

As described above, I do pass parameters and receive result sets back. Just use plain ADO connection (no EF or alike).

Very basic, something like

cmd.CommandText = "my_stored_procedure";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add(new SqlParameter("@FileName", SqlDbType.NVarChar));
cmd.Parameters["@FileName"].Value = FileName;
cmd.Prepare();
...

var reader = cmd.ExecuteReader();


while (reader.Read())
{
int value1 = Convert.ToInt32(reader.GetValue(0));
string value2 = reader.GetValue(1).ToString();
}


Here is a question:

Assuming, there is no data sets and anything else referencing to the database structure and its tables in the code how it's possible to LEARN database column names by opening the code.

The reason I'm asking is that it was raised as vulnerability and were told someone can access this code and then learn column names. I just don't see it happening at all, but would love to learn if someone will share.

Thank you,

IlhaBaba

Continue reading...
 
Back
Top