>If you concatenate strings to build query statements, you can open your system to malicious SQL injection attacks from hackers. Take for example the following code sample shown at the beginning of this topic: > >In C#: >public DataSet GetOrdersByCustomerID(string custID) >{ > mmDataSet dsOrders = this.GetDataSet("SELECT * FROM Orders WHERE CustomerID = '" + > custID + "'"); > > return dsOrders; >} >In VB .NET: > > >Public Function GetOrdersByCustomerID(custID As String) As DataSet > Dim dsOrders As mmDataSet = Me.GetDataSet( _ > "SELECT * FROM Orders WHERE CustomerID = '" & custID & "'") > > Return dsOrders >End Function >Someone with malicious intent could pass the following customer ID value to this method: > >"1' DROP table employees --" >When this value is concatenated to your SQL statement, you get the following: > > >SELECT * FROM >Orders WHERE CustomerID = '1' >DROP table employees >Executing this SQL command completely removes the Employees table from your database! The reason this works is because a double-hyphen "--" is a comment operator in SQL that causes the final single quote to be ignored by SQL Server. > >>
> private void InitializeComponent() > { > this.sqlDataAdapter1 = new System.Data.SqlClient.SqlDataAdapter(); > this.sqlSelectCommand1 = new System.Data.SqlClient.SqlCommand(); > this.sqlInsertCommand1 = new System.Data.SqlClient.SqlCommand(); > this.sqlUpdateCommand1 = new System.Data.SqlClient.SqlCommand(); > this.sqlDeleteCommand1 = new System.Data.SqlClient.SqlCommand(); > this.sqlConnection1 = new System.Data.SqlClient.SqlConnection(); > // > // sqlDataAdapter1 > // > this.sqlDataAdapter1.DeleteCommand = this.sqlDeleteCommand1; > this.sqlDataAdapter1.InsertCommand = this.sqlInsertCommand1; > this.sqlDataAdapter1.SelectCommand = this.sqlSelectCommand1; > this.sqlDataAdapter1.TableMappings.AddRange(new System.Data.Common.DataTableMapping[] { > new System.Data.Common.DataTableMapping("Table", "clients", new System.Data.Common.DataColumnMapping[] { > new System.Data.Common.DataColumnMapping("ClientID", "ClientID"), > new System.Data.Common.DataColumnMapping("ClientName", "ClientName")})}); > this.sqlDataAdapter1.UpdateCommand = this.sqlUpdateCommand1; > // > // sqlSelectCommand1 > // > this.sqlSelectCommand1.CommandText = "SELECT ClientID, ClientName FROM clients"; > this.sqlSelectCommand1.Connection = this.sqlConnection1; > // > // sqlInsertCommand1 > // > this.sqlInsertCommand1.CommandText = "INSERT INTO clients(ClientName) VALUES (@ClientName); SELECT ClientID, ClientName" + > " FROM clients WHERE (ClientID = @@IDENTITY)"; > this.sqlInsertCommand1.Connection = this.sqlConnection1; > this.sqlInsertCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@ClientName", System.Data.SqlDbType.VarChar, 200, "ClientName")); > // > // sqlUpdateCommand1 > // > this.sqlUpdateCommand1.CommandText = "UPDATE clients SET ClientName = @ClientName WHERE (ClientID = @Original_ClientID)" + > " AND (ClientName = @Original_ClientName OR @Original_ClientName IS NULL AND Clie" + > "ntName IS NULL); SELECT ClientID, ClientName FROM clients WHERE (ClientID = @Cli" + > "entID)"; > this.sqlUpdateCommand1.Connection = this.sqlConnection1; > this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@ClientName", System.Data.SqlDbType.VarChar, 200, "ClientName")); > this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientID", System.Data.SqlDbType.Int, 4, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientID", System.Data.DataRowVersion.Original, null)); > this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientName", System.Data.SqlDbType.VarChar, 200, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientName", System.Data.DataRowVersion.Original, null)); > this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@ClientID", System.Data.SqlDbType.Int, 4, "ClientID")); > // > // sqlDeleteCommand1 > // > this.sqlDeleteCommand1.CommandText = "DELETE FROM clients WHERE (ClientID = @Original_ClientID) AND (ClientName = @Orig" + > "inal_ClientName OR @Original_ClientName IS NULL AND ClientName IS NULL)"; > this.sqlDeleteCommand1.Connection = this.sqlConnection1; > this.sqlDeleteCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientID", System.Data.SqlDbType.Int, 4, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientID", System.Data.DataRowVersion.Original, null)); > this.sqlDeleteCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientName", System.Data.SqlDbType.VarChar, 200, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientName", System.Data.DataRowVersion.Original, null)); > // > // sqlConnection1 > // > this.sqlConnection1.ConnectionString = "workstation id=zzzzzzz;packet size=4096;user id=zzzzz;data source=zzzzzzzzzzzzz;" + > "persist security info=False;initial catalog=zzzzzzzzzzzz"; > > } > >>