parameterized queries vs. SQL injection

by

This works but would still be vulnerable to injections right?

Yeah, your code is terrifyingly vulnerable to SQL injections.

I know that I should be using parameterized queries to avoid SQL injections.

Oh absolutely yeah.

My question is, how can I do this when I’m passing the query as a string parameter?

You simply shouldn’t be passing the query as a string parameter. Instead you should be passing the query as string parameter containing placeholders and the values for those placeholders:

public static DataTable SqlDataTable(string sql, IDictionary<string, object> values)
{
    using (SqlConnection conn = new SqlConnection(DatabaseConnectionString))
    using (SqlCommand cmd = conn.CreateCommand())
    {
        conn.Open();
        cmd.CommandText = sql;
        foreach (KeyValuePair<string, object> item in values)
        {
            cmd.Parameters.AddWithValue("@" + item.Key, item.Value);
        }

        DataTable table = new DataTable();
        using (var reader = cmd.ExecuteReader())
        {
            table.Load(reader);
            return table;
        }
    }
}

and then use your function like this:

DataTable dt = SqlComm.SqlDataTable(
    "SELECT * FROM Users WHERE UserName = @UserName AND Password = @Password",
    new Dictionary<string, object>
    {
        { "UserName", login.Text },
        { "Password", password.Text },
    }
);

if (dt.Rows.Count > 0)
{
   // do something if the query returns rows
}

More Related Contents:

  1. How can I strip HTML tags from a string in ASP.NET?
  2. How to force HTTPS using a web.config file
  3. How to get the public IP address of a user in C#
  4. Return View as String in .NET Core
  5. How to write some data to excel file(.xlsx)
  6. Force download of a file on web server – ASP .NET C#
  7. DropdownList DataSource
  8. how to call a variable in code behind to aspx page
  9. How do I get the access token from a blazor (server-side) web app?
  10. Sending an array of values to Oracle procedure to use in WHERE IN clause
  11. Setting dropdownlist selecteditem programmatically
  12. Write PDF stream to response stream
  13. How to set attributes values using reflection
  14. How can I remove item from querystring in asp.net using c#?
  15. CallContext vs ThreadStatic
  16. No authenticationScheme was specified, and there was no DefaultChallengeScheme found with default authentification and custom authorization
  17. How to add cross domain support to WCF service
  18. How does Request.IsAuthenticated work?
  19. How can I handle forms authentication timeout exceptions in ASP.NET?
  20. Recursive TreeView in ASP.NET
  21. Index (zero based) must be greater than or equal to zero
  22. Inline code in head tag – ASP.NET
  23. Get All Web Controls of a Specific Type on a Page
  24. How require authorization within whole ASP .NET MVC application
  25. What is the difference between Debug Mode and Release Mode in Visual Studio 2010? [duplicate]
  26. Accessing controls created dynamically (c#)
  27. asp.net web service using office 2010 COM
  28. {version} wildcard in MVC4 Bundle
  29. Opposite of [compare(” “)] data annotation in .net?
  30. What are some alternatives to ReSharper? [closed]

Leave a Comment