How to prevent a SQL Injection escaping strings

You need to use parameters. Well dont have to but would be preferable.

SqlParameter[] myparm = new SqlParameter[2];
myparm[0] = new SqlParameter("@User",user);
myparm[1] = new SqlParameter("@Pass",password);

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@User AND PASSWORD_AZIENDA=@Pass";

More Related Contents:

Does using parameterized SqlCommand make my program immune to SQL injection?
How do I re-write a SQL query as a parameterized query?
How do I calculate someone’s age based on a DateTime type birthday?
How to provide user name and password when connecting to a network share
How do you sort a dictionary by value?
how to create an animated gif in .net
AddBusinessDays and GetBusinessDays
Windows Forms Splash Screen – Show a form while loading main form
Is there an alternative to string.Replace that is case-insensitive?
AppSettings get value from .config file
IEqualityComparer that uses ReferenceEquals
The calling thread cannot access this object because a different thread owns it.WPF [duplicate]
Internal vs. Private Access Modifiers
IEnumerable to string [duplicate]
How to catch ALL exceptions/crashes in a .NET app [duplicate]
How DataReader works?
C#: How to add subitems in ListView
How to compare only Date without Time in DateTime types?
When or if to Dispose HttpResponseMessage when calling ReadAsStreamAsync?
How do I programmatically save an image from a URL?
Days, hours, minutes, seconds between two dates
Selenium WebDriver throws Timeout exceptions sporadically
smtpclient ” failure sending mail”
Explanation of Func
Subscribe to INotifyPropertyChanged for nested (child) objects
How do I minimize a WinForms application to the notification area?
.net connection pooling
Encryption compatible between Android and C#
Repository Pattern, POCO, and Business Entities
Two Types not equal that should be

More Related Contents:

Leave a Comment Cancel reply