Trying to switch from direct SQL command to SP

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Trying to switch from direct SQL command to SP

Message

From

16/07/2008 16:10:33

Paul Mrozowski
Rcs Solutions, Inc.
Macomb, Michigan, United States

16/07/2008 15:57:29

Naomi Nosonovsky
Wisconsin, United States

General information

Forum:

ASP.NET

Category:

Databases

Title:

Re: Trying to switch from direct SQL command to SP

Environment versions

Environment:

C# 3.0

OS:

Windows XP

Network:

Windows 2003 Server

Database:

MS SQL Server

Miscellaneous

Thread ID:

01331721

Message ID:

01331793

Views:

>>Your current code is a prime target for SQL injection attacks. Concatinating strings to build a SQL statement from anything coming from a user-input fields is a big no-no. Use SQL parameters for that kind of thing.
>>
>
>After speaking with my colleague looks like I have to abandon this idea for now. It's too complicated to change.

http://xkcd.com/327/

-Paul

RCS Solutions, Inc.
Blog
Twitter

Map

View

Click here to load this message in the networking platform