Possible Duplicate:
What is SQL injection?
I need to know what is SQL injection and best way to keep secure our database from it.
What technique we should follow to prevention from SQL injection attack.
Asked
Active
Viewed 122 times
-1
-
I assume you mean SQL *injections*? What language/development environment are you using? – greg84 Mar 15 '12 at 13:24
-
yes i mean the same...and am using dot net 3.5 with sql server 2008 – Romesh Somani Mar 15 '12 at 13:25
-
conceptual and not specific, votes to move to programmers exchange. – Michael Durrant Mar 15 '12 at 13:26
-
Always relevant on this subject: http://xkcd.com/327/ – Mar 15 '12 at 13:30
-
Have you read http://en.wikipedia.org/wiki/SQL_injection ? – Péter Török Mar 15 '12 at 13:30
1 Answers
3
SQL Injection is when a user inputs a query with actual SQL code that is passed to the database engine in order to cause havoc and execute unintended queries (most maliciously DDL statements, like DROP TABLE)
The technique to prevent SQL Injection is to use parameterized queries.
insert into YourTable
values(@FirstVal, @SecondVal)
This is BAD!!!!
SqlCommand SqlInjectionCandidate = new SqlCommand(string.Empty, MySqlConn);
SqlInjectionCandidate.CommandText = @"
insert into YourTable
values('" + FirstNameTextBox.Text + "', '" + LastNameTextBox.Text + "')";
The right way to do it
SqlCommand NoSqlInjection = new SqlCommand(string.Empty, MySqlConn);
NoSqlInjection.CommandText = @"
insert into YourTable
values(@FirstCol, @SecondCol)";
NoSqlInjection.Parameters.AddWithValue("@FirstCol", YourFirstColVal);
NoSqlInjection.Parameters.AddWithValue("@SecondCol", YourSecondColVal);