Preventing SQL Injection in ASP.Net

by

Try using a parameterized query here is a link http://www.aspnet101.com/2007/03/parameterized-queries-in-asp-net/

Also, do not use OpenQuery… use the this to run the select

SELECT * FROM db...table WHERE ref = @ref AND bookno = @bookno

More articles describing some of your options:

http://support.microsoft.com/kb/314520

What is the T-SQL syntax to connect to another SQL Server?

Edited

Note: Your original question was asking about distributed queries and Linked servers. This new statement does not reference a distributed query. I can only assume you are directly connecting to the database now. Here is an example that should work.
Here is another reference site for using SqlCommand.Parameters

SqlCommand cmd = new SqlCommand("Select * from Table where ref=@ref", con); 
cmd.Parameters.Add("@ref", SqlDbType.Int);
cmd.Parameters["@ref"] = 34;

Edited:

Ok Jamie taylor I will try to answer your question again.

You are using OpenQuery becuase you are probably using a linked DB

Basically the problem is the OpenQuery Method takes a string you cannot pass a variable as part of the string you sent to OpenQuery.

You can format your query like this instead. The notation follows servername.databasename.schemaname.tablename. If you are using a linked server via odbc then omit databasename and schemaname, as illustrated below

    Dim conn As SqlConnection = New SqlConnection("your SQL Connection String")
    Dim cmd As SqlCommand = conn.CreateCommand()
    cmd.CommandText = "Select * db...table where investor = @investor"
    Dim parameter As SqlParameter = cmd.CreateParameter()
    parameter.DbType = SqlDbType.Int
    parameter.ParameterName = "@investor"
    parameter.Direction = ParameterDirection.Input
    parameter.Value = 34

More Related Contents:

  1. Are Parameters really enough to prevent Sql injections?
  2. Howto? Parameters and LIKE statement SQL
  3. Does this code prevent SQL injection?
  4. How do I update a value in C# and SQL Server? [closed]
  5. Syntax not valid on word ‘ON’ in SQL join statement [closed]
  6. What is the best way to read/parse the XML files [closed]
  7. Why do we always prefer using parameters in SQL statements?
  8. How can I add user-supplied input to an SQL statement?
  9. what’s the issue with AttachDbFilename
  10. Generating an Excel file in ASP.NET [closed]
  11. How should I pass a table name into a stored proc?
  12. How can I force entity framework to insert identity columns?
  13. Avoiding SQL injection without parameters
  14. Is there a way to programmatically determine if a font file has a specific Unicode Glyph?
  15. A network-related or instance-specific error occurred while establishing a connection to SQL Server [closed]
  16. The parameterized query expects the parameter which was not supplied
  17. The transaction manager has disabled its support for remote/network transactions
  18. Does End Using close an open SQL Connection
  19. How can I JSON encode an array in VB.NET?
  20. Why does the 2nd T-SQL query run much faster than the first when called by Reporting Services 2005 in a web-app
  21. Images in database vs file system
  22. EF 4.1 exception “The provider did not return a ProviderManifestToken string”
  23. What is passing parameters to SQL and why do I need it?
  24. Streaming Databased Images Using HttpHandler
  25. IFrame: This content cannot be displayed in a frame
  26. Can’t find microsoft.sqlserver.batchparser.dll
  27. What’s the best way to display an image from a sql server database in asp.net?
  28. Conversion from type ‘DBNull’ to type ‘String’ is not valid
  29. Database Error: There is no row at position 0
  30. URL Routing, Image Handler & “A potentially dangerous Request.Path value”

Leave a Comment