Popular Posts

There was an error in this gadget

Oct 22, 2013

Prevent websites from injection in asp.net






string queryStr = "select email, fullname, from t_employee where username = user_name ='" + username + "' and user_date between '" + startdate + "' and '" + enddate + "'";
 
To prevent from query injection we can change it by using stored procedures or 
parameterised TSQL
 

string queryStr = "select email, fullname from t_employee where user_name = @USER and user_date between @startdate and @enddate'";

cmd.Parameters.Add("@USER", SqlDbType.NVarChar, 100);  -- Assuming type and size
cmd.Parameters["@USER"].Value = username
cmd.Parameters.Add("@startdate ", SqlDbType.DateTime);
cmd.Parameters["@startdate "].Value = startdate ;
cmd.Parameters.Add("@enddate", SqlDbType.DateTime);
cmd.Parameters["@enddate"].Value = enddate;

No comments:

Post a Comment