Just gimme a second to put words in your SQL statement
- Posted: May 19, 2008 at 5:14PM
- 3 comments
Loading user information from Channel 9
Something went wrong getting user information from Channel 9
Loading user information from MSDN
Something went wrong getting user information from MSDN
Loading Visual Studio Achievements
Something went wrong getting the Visual Studio Achievements
Do you have your application hooked up to a database? Do you do stuff like
string sql = "SELECT * FROM Products"+ "Where Id " + userInput;
Well, if I was mean (I'm not), I could do some naughty things that would be called a SQL Injection Attack. Imagine if I did sent in "1; Drop Table Product;" as a end user.
Well, fear not, there are a few super easy ways to prevent this type of attack.
A few quick ways are to use SQL parameters and to validate your data instead of blindly trusting your end user. Here is an example of a parameterized query.
string commandText = "SELECT * FROM Customers "+ "WHERE Country=@CountryName"; SqlCommand cmd = new SqlCommand(commandText, conn); cmd.Parameters.Add("@CountryName",countryName);
Remember, Johnny Drop Table, can cause some trouble.