Trying to switch from direct SQL command to SP

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Trying to switch from direct SQL command to SP

Message

16/07/2008 16:10:33

Paul Mrozowski
Rcs Solutions, Inc.
Macomb, Michigan, États-Unis

16/07/2008 15:57:29

Naomi Nosonovsky
Wisconsin, États-Unis

Information générale

Forum:

ASP.NET

Catégorie:

Bases de données

Titre:

Re: Trying to switch from direct SQL command to SP

Versions des environnements

Environment:

C# 3.0

OS:

Windows XP

Network:

Windows 2003 Server

Database:

MS SQL Server

Divers

Thread ID:

01331721

Message ID:

01331793

Vues:

>>Your current code is a prime target for SQL injection attacks. Concatinating strings to build a SQL statement from anything coming from a user-input fields is a big no-no. Use SQL parameters for that kind of thing.
>>
>
>After speaking with my colleague looks like I have to abandon this idea for now. It's too complicated to change.

http://xkcd.com/327/

-Paul

RCS Solutions, Inc.
Blog
Twitter

Répondre

Fil

Voir

Click here to load this message in the networking platform