|
-
Aug 4th, 2006, 10:08 AM
#5
Addicted Member
Re: 's problem when insert into database
By building your queries using strings and concatenating the arguments in, you open the door to SQL Injection attacks. By manipulating the contents sent, it is feasible to insert and/or view data that otherwise would not be available to the user. I am still pretty new to C#, but what jmcilhinney posted looks to be the equivalent of the Java PreparedStatement. Assuming MS implemented it well, it should do all escaping for you which clears up the possibility of SQL Injections.
While using replace functions can alleviate SQL Injection possibilities, it means that EVERY query you write must go through the same routines. To me, this sounds like a lot of extra, unneccessary work. In addition, if you forget to escape even one query, you have potentially opened your database to the world.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|