parameterized querry in .net

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • dipalichavan82
    New Member
    • Feb 2008
    • 41
    #1

    parameterized querry in .net

    i came across a article, where it was mentioned if we want a dynamic querry to fire then use parameterized querry
    e.g.
    string inputcity=textb ox.text;
    SqlCommand cmd = new SqlCommand("sel ect * from Customers where city=
    '" + inputCity + " ' ";
    Don't ever build a query this way!


    as this leads to hacking.
    instaed do it like this:

    SqlCommand cmd = new SqlCommand("sel ect * from Customers where city = @City", conn);
    SqlParameter param = new SqlParameter();
    param.Parameter Name = "@City";
    param.Value = inputCity;
    cmd.Parameters. Add(param);

    do u really think hacking problem can b solved using parameterized querry.If yes plz tell me, how hacking prob is solved .

    thnx in advance
    Tags: None
    • debasisdas
      Recognized Expert Expert
      • Dec 2006
      • 8119
      #2
      Parameterized query is Ok but i don't understand how that is related to hacking .

        Comment

        • dipalichavan82
          New Member
          • Feb 2008
          • 41
          #3
          in above ecample author said case1 is wrong way of implementation because:


          The input variable, inputCity, is typically retrieved from a TextBox control on either a Windows form or a Web Page. Anything placed into that TextBox control will be put into inputCity and added to your SQL string. This situation invites a hacker to replace that string with something malicious. In the worst case, you could give full control of your computer away.

          but i think same chances r there when we use parameterized querry.

            Comment

            Previous template Next
            Working...