Just gimme a second to put words in your SQL statement
Do you have your application hooked up to a database? Do you do stuff like
string sql = "SELECT * FROM Products"+ "Where Id " + userInput;
Well, if I was mean (I'm not), I could do some naughty things that would be called a SQL Injection Attack. Imagine if I did sent in "1; Drop Table Product;" as a end user.
Well, fear not, there are a few super easy ways to prevent this type of attack.
A few quick ways are to use SQL parameters and to validate your data instead of blindly trusting your end user. Here is an example of a parameterized query.
string commandText = "SELECT * FROM Customers "+ "WHERE Country=@CountryName"; SqlCommand cmd = new SqlCommand(commandText, conn); cmd.Parameters.Add("@CountryName",countryName);
Remember, Johnny Drop Table, can cause some trouble.