Proper way to instantiate a class

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Proper way to instantiate a class

Message

23/12/2005 13:32:21

Michel Fournier
Level Extreme Inc.
Petit-Rocher, Nouveau-Brunswick, Canada

23/12/2005 13:25:41

Perry Forman
Jp Technology Group, Llc
Los Angeles, Californie, États-Unis

Information générale

Forum:

ASP.NET

Catégorie:

Conception classe

Titre:

Re: Proper way to instantiate a class

Divers

Thread ID:

01079105

Message ID:

01080611

Vues:

>A little more info on Injection Attacks. I've heard about them for a while. And was in the bookstore last night. I was looking at an ADO.Net book that discussed this issue. So I understand a little better.
>
>An injection attack occurs when you have a textbox on the screen where you prompt for a value. And then you dynamically build you SQL so your WHERE looks like "Where columnvalue = texboxvalue"
>
>An injection attack could occur if someone inputs a SQL statement in the correct format in the textbox. This will cause your SQL statement to be treated like a comment and not run, and the hackers SQL statement to execute instead.
>
>A malicious update statement could corrupt your entire database at that point.

Yes, I understand now since Rod generously provided a good approach.

However, my approach was to always use something like:

loDataAdapter.cSQL="SELECT MyField FROM MyTable WHERE MyColumn="""+lcMyValue+""""

and not

loDataAdapter.cSQL="SELECT MyField FROM MyTable WHERE MyColumn=lcMyValue"

It is unclear to me if the first approach I always used was a candidate to SQL injection.

Michel Fournier
Level Extreme Inc.
Designer, architect, owner of the Level Extreme Platform
Subscribe to the site at https://www.levelextreme.com/Home/DataEntry?Activator=55&NoStore=303
Subscription benefits https://www.levelextreme.com/Home/ViewPage?Activator=7&ID=52

Répondre

Fil

Voir

Click here to load this message in the networking platform