Skip to main content

Using Parameterized Queries to avoid SQL Injection In C# .Net

An SQL injection attack consists of insertion or "injection" of an SQL query via the input data from the client to the application. Attackers potentially use SQL Injection to:

  • -Logging into your applicatiob by Bypassing the authentication.
  • -Gaining access to your sensitive information in the database.
  • -Tampering or destroying data.



There are two complementary and successful methods of mitigating SQL Injection attacks:

  • -Parameterized queries using bound, typed parameters.
  • -Careful use of parameterized stored procedures.


 So one common use of such queries is explained in the below example written in Dot Net, which uses Parameterized queries for the variables declared with initial @. And also you can avoid the error caused by Apostophe (') in the variable if you are updating a table.

 Like if you have a variable like O'Connor then you app will throw an error, which can be avoided by the use of Parameterized query.

It is one of the best way to avoid hacking.

Check the example below.


StringBuilder sql = new StringBuilder();
sql.AppendLine("UPDATE TableCustomer Set ");
sql.AppendLine("Address = @Address");
sql.AppendLine(", Phone= @Phone");
sql.AppendLine("WHERE CustomerID= @rid");

List<SqlParameter> _sqlCommand = new List<SqlParameter>();
_sqlCommand.Add(new SqlParameter("@Addresss", "SouthPort 22/7"));
_sqlCommand.Add(new SqlParameter("@Phone", 1234567890));
_sqlCommand.Add(new SqlParameter("@rid", rid));
dt.ExecuteSqlCommand(conn, _sqlCommand, sql.ToString());




public void ExecuteSqlCommand(string Conn, List<SqlParameter> parameters, string cmdText)
   {
         using (SqlConnection connection = new SqlConnection(Conn))
         {
          connection.Open();
          SqlCommand command = new SqlCommand(cmdText, connection);
          command.CommandType = CommandType.Text;
          if (parameters != null)
         //foreach (SqlParameter _params in parameters)
           command.Parameters.AddRange(parameters.ToArray());
         command.ExecuteNonQuery();
          }
        

    }
Labels:

Comments

Post a Comment

Important - Make sure to click the Notify Me check-box below the comment to be notified of follow up comments and replies.

Popular posts from this blog

Convert your datatable into generic poco object in c# using linq, ado and reflections.

Follow @harshit_parshii The most common problem that we face these days is to create a common class and method that can be used across all the projects and codes. So today I will be sharing my code where you can see how to make and create a generic function without using entity framework for ado. net. The scenario is like you have an old software that uses stored procedure to return set of entities as a data-table, you do not want to re-write the back-end code as you are creating a web API in c# which needs to be delivered asap. You need to map these data tables to models as you might be using MV* pattern. So here we will be doing one to one mapping of model to data- table, and in similar fashion insert or update can also be done. So basically we are converting a data-table to list of strongly typed object model to do CRUD operations. So we have following things before hand. A helper class is referenced as the database(dbFactory) which executes ado. ne...
Post a Comment
Read more

Send a Fax in windows using faxcomexlib and TAPI in VB code .Net

An application that provides sending fax from faxmodem, connected to the computer, will be explained in the following post.  We can use Telephony Application Programming Interface (TAPI) and the Fax Service Extended Component Object Model (COM) API to send fax. The fax service is a Telephony Application Programming Interface (TAPI)-compliant system service that allows users on a network to send and receive faxes from their desktop applications. The service is available on computers that are running Windows 2000 and later. The fax service provides the following features: Transmitting faxes Receiving faxes Flexible routing of inbound faxes Outbound routing Outgoing fax priorities Archiving sent and received faxes Server and device configuration management Client use of server devices for sending and receiving faxes Event logging Activity logging Delivery receipts Security permissions The following Microsoft Visual Basic code example sends a fax. Note that...
Post a Comment
Read more

DTMF (Mobile) based speed control of AC motor.

Introduction: With the advancement of ages from prehistoric to present day scenario our life has become more sophisticated and busy, so to ease the schedule of this busy life, technology has play the vital role in it and for its proper running of machine the technology has gone further by providing digitization of analog machinery and its use is enhanced day by day. This project is based on the same concept by wireless controlling the machinery through mobile system anywhere from the world. This project aims at Speed Control of AC motor using DTMF method; DTMF stands for dual tone multiple frequencies . The main idea of this project is to control the speed of an AC motor by wireless communication using DTMF decoder technique aiming at the fine use of mobile technology in our day to day use of automated products. Mobile phones have different frequencies for each number printed on it. These numbers when pressed during call duration produces a tone of certain frequency. This frequ...
9 comments
Read more