Thursday, May 29, 2008

SQL Injection and how to avoid it

ASP.NET Debugging : SQL Injection and how to avoid it: "SQL Injection and how to avoid it"

The safest way to keep yourself safe from SQL Injection is to always use stored procedures to accept input from user-input variables. It is really simple to do this, for example, this is how you don't want to code things:

e.g.
var Shipcity;
ShipCity = Request.form ("ShipCity");
var sql = "select * from OrdersTable where ShipCity = '" +
ShipCity + "'";


good pratics..


SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
parm.Value = Login.Text;

http://www.visli.com/

No comments: