Entries:
Comments:
Discussions:

Loading user information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading user information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Just gimme a second to put words in your SQL statement

Do you have your application hooked up to a database?  Do you do stuff like

string sql = "SELECT * FROM Products"+
  "Where Id " + userInput;

Well, if I was mean (I'm not), I could do some naughty things that would be called a SQL Injection Attack.  Imagine if I did sent in "1; Drop Table Product;" as a end user.

Well, fear not, there are a few super easy ways to prevent this type of attack.

Colin Mackay has an article that explains in more detail on the SQL injection attack and multiple ways to prevent it.

A few quick ways are to use SQL parameters and to validate your data instead of blindly trusting your end user.  Here is an example of a parameterized query.

string commandText = "SELECT * FROM Customers "+
    "WHERE Country=@CountryName";
SqlCommand cmd = new SqlCommand(commandText, conn);
cmd.Parameters.Add("@CountryName",countryName);

Remember, Johnny Drop Table, can cause some trouble.

Tag:

Follow the discussion

  • Oops, something didn't work.

    Getting subscription
    Subscribe to this conversation
    Unsubscribing
    Subscribing
  • rrobinrrobin

    "Imagine if I did sent in "1; Drop Table Product;" as a end user."

    He'd get an exception, explaining "Table not Found". The tablename was "Products", not "Product" Smiley

    string sql = "SELECT * FROM Products"+

     "Where Id " + userInput;

  • BydiaBydia

    Image that you did do that and that nothing would happen because you tried to delete the Product table while the actually table is Products.  Sorry, I couldn't resist the typo.

  • Clint RutkasClint I'm a "developer"

    Yes, My bad, I typo'ed it.  There are worse commands that could be sent in.  Plus who knows, there may be a table Product also.

Remove this comment

Remove this thread

Close

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.