- About us
- Services
- Skills
- Web Development
- ColdFusion Development
- SharePoint Development
- Classic ASP Development
- ASP.NET Development
- Modern ASP .Net Development
- DotNetNuke Development
- Java/JSP/servlets Development
- Python Development
- PHP Development
- Perl Development
- Ruby on Rails (RoR) Development
- Lasso Development
- Real Basic Development
- Google API Integration Services
- Mobile Development
- Database & Client server Development
- Plug-in Development
- Reports/BI Development
- Automated Testing
- QA/Testing Skills
- Domain-based Testing
- E-Commerce Development
- CMS Development
- Desktop Development
- RIA Development
- App-based development
- Salesforce Development
- SugarCRM Development
- Dynamics GP GreatPlains development
- Dynamics SL Solomon development
- Microsoft Dynamics CRM Consulting Development
- Dynamics RMS development
- LiveCycle development
- QuickBooks development
- Drupal development
- Joomla development
- Typo3 development
- Magento development
- Dolphin social development
- Others
- Web Development
- Industries
- Knowledge
- Process
- Models
- Clients
- Career
| |
Software Technology Tips
Using parameterized SQL queries to help prevent SQL injection attack. |
If you are not new to web development in particular, it is quite likely that you already know what a SQL injection is and how it poses threat to your system security. This is more probable when you are adding strings to SQL commands.
string sql = "SELECT * FROM tblUser WHERE Name = '" + txtName.Text +
"' AND Password = '" + txtpassword.Text + "'"; Well, the above statement looks fine but what a malicious user would now do is add condition such as
' OR 3=3 --
So that the actual SQL statement becomes
SELECT * FROM tblUser WHERE Name = '' OR 3=3 --' AND Password = ''
The double dashes comment out rest of the statement and the condition 3=3 is added. Since 3 is always equal to 3 the query selects every row in the table thus giving access to information which wouldn't be available otherwise.
However, parameterizing the SQL statement would not only remove this vulnerability but also enhance performance multifold. Parameterized SQL statements are in some ways similar to stored procedures, so if you have worked with the latter, the concept of parameterized query would be easier to understand. Further, since the parts of the SQL statement are added as parameters, the same code can be reused.
Now let us create a parameterized SQL statement in ASP.NET. As usual, we would be required to first create our connection and command objects. We would then add parameters to it before it is executed.
SqlConnection objCon = new SqlConnection(ConnectionString); objCon.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", txtName.Text); objCommand.Parameters.Add("@Password", txtpassword.Text); SqlDataReader objReader = objCommand.ExecuteReader(); if (objReader.Read()) { ---------- -------- --------- } |
Related Tags:
ASP.NET
Author: Santono Patra
ASP.NET
- How to use parameterized queries in ASP.Net
- How to set the properties of ASP.NET Server controls for compatibility with different browsers
- SSL Server Certificate Issue
- Binding ObjectDataSourceControl to a collection in ASP.Net 3.5
- DevExpress GridView : Setting the RepositoryItem at runtime in a DevExpress GridView for Windows Application
- Maintaining the state of checkboxes in ListView
- Adding Event Handler and CssClass To Elements Using ScriptManager
- Enhancing performance of web applications through output caching
- How to Customize the Group Text of a DevExPress Grid View
- Creating a comma-separated string from collection of objects.
- How to bind gridview with array data source?
- How to Show Session Count in ASP.Net Web Application
- How to group radio buttons from a grid using javascript in ASP.NET
- How To Load User Controls Dynamically in ASP.Net3.5
- DevExpress GridView: How to get and set the RowHandle
- How to Create Custom Configuration Section in ASP.Net3.5
- Choosing between DataTable vs. DataReader in ADO.NET
- Decide upon validating a cached page programmatically.
- Register client-side startup script from server-side code
- How to publish content from another URL in a ContentPlaceHolder control
- More Related Tips
