Trying to switch from direct SQL command to SP

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Trying to switch from direct SQL command to SP

Message

16/07/2008 16:33:22

Naomi Nosonovsky
Wisconsin, États-Unis

16/07/2008 16:10:33

Paul Mrozowski
Rcs Solutions, Inc.
Macomb, Michigan, États-Unis

Information générale

Forum:

ASP.NET

Catégorie:

Bases de données

Titre:

Re: Trying to switch from direct SQL command to SP

Versions des environnements

Environment:

C# 3.0

OS:

Windows XP

Network:

Windows 2003 Server

Database:

MS SQL Server

Divers

Thread ID:

01331721

Message ID:

01331800

Vues:

>>>Your current code is a prime target for SQL injection attacks. Concatinating strings to build a SQL statement from anything coming from a user-input fields is a big no-no. Use SQL parameters for that kind of thing.
>>>
>>
>>After speaking with my colleague looks like I have to abandon this idea for now. It's too complicated to change.
>
>http://xkcd.com/327/

:)

Well, since we're splitting words, it's not that critical, e.g. we're going to search by "Drop" "table" "students"....

If it's not broken, fix it until it is.

My Blog

Répondre

Fil

Voir

Click here to load this message in the networking platform