Sorry for being so long, Questions is about the bottom, I made it long so you have an understanding of what I am talking about.
In the process of building my website I have, come across a piece in the help from MM(I hope this okay that I posted it) that said....
If you concatenate strings to build query statements, you can open your system to malicious SQL injection attacks from hackers. Take for example the following code sample shown at the beginning of this topic:
In C#:
public DataSet GetOrdersByCustomerID(string custID)
{
mmDataSet dsOrders = this.GetDataSet("SELECT * FROM Orders WHERE CustomerID = '" +
custID + "'");
return dsOrders;
}
In VB .NET:
Public Function GetOrdersByCustomerID(custID As String) As DataSet
Dim dsOrders As mmDataSet = Me.GetDataSet( _
"SELECT * FROM Orders WHERE CustomerID = '" & custID & "'")
Return dsOrders
End Function
Someone with malicious intent could pass the following customer ID value to this method:
"1' DROP table employees --"
When this value is concatenated to your SQL statement, you get the following:
SELECT * FROM
Orders WHERE CustomerID = '1'
DROP table employees
Executing this SQL command completely removes the Employees table from your database! The reason this works is because a double-hyphen "--" is a comment operator in SQL that causes the final single quote to be ignored by SQL Server.Now, when i follow the route of creating a commandobject, it creates the following :
private void InitializeComponent()
{
this.sqlDataAdapter1 = new System.Data.SqlClient.SqlDataAdapter();
this.sqlSelectCommand1 = new System.Data.SqlClient.SqlCommand();
this.sqlInsertCommand1 = new System.Data.SqlClient.SqlCommand();
this.sqlUpdateCommand1 = new System.Data.SqlClient.SqlCommand();
this.sqlDeleteCommand1 = new System.Data.SqlClient.SqlCommand();
this.sqlConnection1 = new System.Data.SqlClient.SqlConnection();
this.sqlDataAdapter1.DeleteCommand = this.sqlDeleteCommand1;
this.sqlDataAdapter1.InsertCommand = this.sqlInsertCommand1;
this.sqlDataAdapter1.SelectCommand = this.sqlSelectCommand1;
this.sqlDataAdapter1.TableMappings.AddRange(new System.Data.Common.DataTableMapping[] {
new System.Data.Common.DataTableMapping("Table", "clients", new System.Data.Common.DataColumnMapping[] {
new System.Data.Common.DataColumnMapping("ClientID", "ClientID"),
new System.Data.Common.DataColumnMapping("ClientName", "ClientName")})});
this.sqlDataAdapter1.UpdateCommand = this.sqlUpdateCommand1;
this.sqlSelectCommand1.CommandText = "SELECT ClientID, ClientName FROM clients";
this.sqlSelectCommand1.Connection = this.sqlConnection1;
this.sqlInsertCommand1.CommandText = "INSERT INTO clients(ClientName) VALUES (@ClientName); SELECT ClientID, ClientName" +
" FROM clients WHERE (ClientID = @@IDENTITY)";
this.sqlInsertCommand1.Connection = this.sqlConnection1;
this.sqlInsertCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@ClientName", System.Data.SqlDbType.VarChar, 200, "ClientName"));
this.sqlUpdateCommand1.CommandText = "UPDATE clients SET ClientName = @ClientName WHERE (ClientID = @Original_ClientID)" +
" AND (ClientName = @Original_ClientName OR @Original_ClientName IS NULL AND Clie" +
"ntName IS NULL); SELECT ClientID, ClientName FROM clients WHERE (ClientID = @Cli" +
"entID)";
this.sqlUpdateCommand1.Connection = this.sqlConnection1;
this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@ClientName", System.Data.SqlDbType.VarChar, 200, "ClientName"));
this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientID", System.Data.SqlDbType.Int, 4, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientID", System.Data.DataRowVersion.Original, null));
this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientName", System.Data.SqlDbType.VarChar, 200, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientName", System.Data.DataRowVersion.Original, null));
this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@ClientID", System.Data.SqlDbType.Int, 4, "ClientID"));
this.sqlDeleteCommand1.CommandText = "DELETE FROM clients WHERE (ClientID = @Original_ClientID) AND (ClientName = @Orig" +
"inal_ClientName OR @Original_ClientName IS NULL AND ClientName IS NULL)";
this.sqlDeleteCommand1.Connection = this.sqlConnection1;
this.sqlDeleteCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientID", System.Data.SqlDbType.Int, 4, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientID", System.Data.DataRowVersion.Original, null));
this.sqlDeleteCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientName", System.Data.SqlDbType.VarChar, 200, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientName", System.Data.DataRowVersion.Original, null));
this.sqlConnection1.ConnectionString = "workstation id=zzzzzzz;packet size=4096;user id=zzzzz;data source=zzzzzzzzzzzzz;" +
"persist security info=False;initial catalog=zzzzzzzzzzzz";
}If I change the table structure I have to modify the above component every time, I understand that I should have the structure done but what do we do when we want to add new fields in 5 years from now?
Is there a better way?
This info is all contained in the business object inside a separate project(as suggested by MM - I think this is a great idea by the way!)
TIA
