ASP.NET Debugging : SQL Injection and how to avoid it: "SQL Injection and how to avoid it"
The safest way to keep yourself safe from SQL Injection is to always use stored procedures to accept input from user-input variables. It is really simple to do this, for example, this is how you don't want to code things:
e.g.
var Shipcity;
ShipCity = Request.form ("ShipCity");
var sql = "select * from OrdersTable where ShipCity = '" +
ShipCity + "'";
good pratics..
SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
parm.Value = Login.Text;
http://www.visli.com/
No comments:
Post a Comment