What are good ways to prevent SQL injection? [duplicate]

by

By using the SqlCommand and its child collection of parameters all the pain of checking for sql injection is taken away from you and will be handled by these classes.

Here is an example, taken from one of the articles above:

private static void UpdateDemographics(Int32 customerID,
    string demoXml, string connectionString)
{
    // Update the demographics for a store, which is stored  
    // in an xml column.  
    string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
        + "WHERE CustomerID = @ID;";

    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        SqlCommand command = new SqlCommand(commandText, connection);
        command.Parameters.Add("@ID", SqlDbType.Int);
        command.Parameters["@ID"].Value = customerID;

        // Use AddWithValue to assign Demographics. 
        // SQL Server will implicitly convert strings into XML.
        command.Parameters.AddWithValue("@demographics", demoXml);

        try
        {
            connection.Open();
            Int32 rowsAffected = command.ExecuteNonQuery();
            Console.WriteLine("RowsAffected: {0}", rowsAffected);
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
    }
}

More Related Contents:

  1. Does using parameterized SqlCommand make my program immune to SQL injection?
  2. How can I add user-supplied input to an SQL statement?
  3. SQL injection on INSERT
  4. Automated checking of database connection and query in same database [closed]
  5. Execute non-query error [closed]
  6. What is SQL injection? [duplicate]
  7. How can prepared statements protect from SQL injection attacks?
  8. How to use DbContext.Database.SqlQuery(sql, params) with stored procedure? EF Code First CTP5
  9. How do I clean SqlDependency from SQL Server memory?
  10. Is it necessary to manually close and dispose of SqlDataReader?
  11. LINQ to SQL multiple tables left outer join
  12. Passing List to SQL Stored Procedure
  13. Storing credit card details
  14. SQL update statement in C#
  15. Any way to SQLBulkCopy “insert or update if exists”?
  16. EF 6 Parameter Sniffing
  17. encrypt SQL connectionstring c#
  18. Table name and table field on SqlParameter C#?
  19. ExecuteNonQuery returning -1 when using sql COUNT despite the query string
  20. How to make LINQ execute a (SQL) LIKE range search
  21. Sql Bulk Copy/Insert in C#
  22. Calling SQL Defined function in C#
  23. Index (zero based) must be greater than or equal to zero
  24. Issues Doing a String Comparison in LINQ
  25. C# SQL insert command
  26. C#.NET: Acquire administrator rights?
  27. Store sensitive information inside keepass database from c#
  28. Generating sql code programmatically
  29. RSA read PublicKey
  30. Do we have transactions in MS-Access?

Leave a Comment