SQLCommand parameters to prevent SQL injections
-
Hi, Would this be a good way to prevent some SQL Injections? I am trying to find the best easiest way to use of command parameters whenever i receive user input to query a database. I have alot of queries so im trying to find a easy reusable procedures to make use of sqlcommand parameters.
SqlConnection conn = new SqlConnection(_WebConfig.ConnectionString.ToString()); try { DataTable dtVal = new DataTable(); SqlDataAdapter da = new SqlDataAdapter("SELECT ID, Full_Name, Surname " + "FROM Users " + "WHERE Full_Name = @LoginUname " + "AND Password = @LoginPword", conn); da.SelectCommand.Parameters.Add("@LoginUname", SqlDbType.VarChar, 30); da.SelectCommand.Parameters["@LoginUname"].Value = LoginUname; da.SelectCommand.Parameters.Add("@LoginPword", SqlDbType.VarChar, 15); da.SelectCommand.Parameters["@LoginPword"].Value = LoginPword; if (conn.State == ConnectionState.Closed | conn.State == ConnectionState.Closed) { conn.Open(); } da.Fill(dtVal); if (dtVal.Rows.Count == 1) { return true; } else { return false; } } catch (Exception ex) { throw ex; } finally { conn.Close(); conn.Dispose(); }Any advice or other methods would be greatly appreciated Thanks -
Hi, Would this be a good way to prevent some SQL Injections? I am trying to find the best easiest way to use of command parameters whenever i receive user input to query a database. I have alot of queries so im trying to find a easy reusable procedures to make use of sqlcommand parameters.
SqlConnection conn = new SqlConnection(_WebConfig.ConnectionString.ToString()); try { DataTable dtVal = new DataTable(); SqlDataAdapter da = new SqlDataAdapter("SELECT ID, Full_Name, Surname " + "FROM Users " + "WHERE Full_Name = @LoginUname " + "AND Password = @LoginPword", conn); da.SelectCommand.Parameters.Add("@LoginUname", SqlDbType.VarChar, 30); da.SelectCommand.Parameters["@LoginUname"].Value = LoginUname; da.SelectCommand.Parameters.Add("@LoginPword", SqlDbType.VarChar, 15); da.SelectCommand.Parameters["@LoginPword"].Value = LoginPword; if (conn.State == ConnectionState.Closed | conn.State == ConnectionState.Closed) { conn.Open(); } da.Fill(dtVal); if (dtVal.Rows.Count == 1) { return true; } else { return false; } } catch (Exception ex) { throw ex; } finally { conn.Close(); conn.Dispose(); }Any advice or other methods would be greatly appreciated ThanksSQL Injection Attacks and Some Tips on How to Prevent Them[^]
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." - Rick Cook