Trying to switch from direct SQL command to SP

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Trying to switch from direct SQL command to SP

Message

From

16/07/2008 16:33:22

Naomi Nosonovsky
Wisconsin, United States

16/07/2008 16:10:33

Paul Mrozowski
Rcs Solutions, Inc.
Macomb, Michigan, United States

General information

Forum:

ASP.NET

Category:

Databases

Title:

Re: Trying to switch from direct SQL command to SP

Environment versions

Environment:

C# 3.0

OS:

Windows XP

Network:

Windows 2003 Server

Database:

MS SQL Server

Miscellaneous

Thread ID:

01331721

Message ID:

01331800

Views:

>>>Your current code is a prime target for SQL injection attacks. Concatinating strings to build a SQL statement from anything coming from a user-input fields is a big no-no. Use SQL parameters for that kind of thing.
>>>
>>
>>After speaking with my colleague looks like I have to abandon this idea for now. It's too complicated to change.
>
>http://xkcd.com/327/

:)

Well, since we're splitting words, it's not that critical, e.g. we're going to search by "Drop" "table" "students"....

If it's not broken, fix it until it is.

My Blog

Map

View

Click here to load this message in the networking platform