SQL Injection

A

Arne

Will the code below protect me from SQL injection in an ASP.Net page?
Dim cmd As SqlCommand
Dim prm As SqlParameter
Dim salary As String
cmd.CommandText = "select salary from employee where name=@name"
prm = New SqlParameter("@name", name.text)
cmd.Parameters.Add(prm)
salary = cmd.ExecuteNonQuery
 
C

Cactus Corp.

Arne said:
Will the code below protect me from SQL injection in an ASP.Net page?
Dim cmd As SqlCommand
Dim prm As SqlParameter
Dim salary As String
cmd.CommandText = "select salary from employee where name=@name"
prm = New SqlParameter("@name", name.text)
cmd.Parameters.Add(prm)
salary = cmd.ExecuteNonQuery
Click to expand...

It should.

But it should not be used as a mitigation technique, the name.text
value should first be checked against your acceptation rules.

Best practice would be to make a global static method, checking
validity of an input upon a regular expression.

If (SecurityUtils.IsInputValid(name.Text , "[a-zA-Z]{1,30}")) Then
...do something
End If

antoine
 
D

Dominick Baier [DevelopMentor]

Hello Arne,

yes.

besides that this code sample implies that this application can retrieve
the salary of an arbitrary user in your database....
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SQL Injection 4
Output value stored procedure dotnet 1
checking if id and reg already exists 0
one page to edit, delete, and add data to a database 1
webservice with datasets 1
Large No. SQL Parameters 2
save uploaded image thumbnail to sql db image field 1
Retrieve return value of SQL User Defined Function? 2

Members online

No members online now.
Total: 25 (members: 0, guests: 25)
Robots: 214

Forum statistics

Threads
473,767
Messages
2,569,570
Members
45,045
Latest member
DRCM

Latest Threads

Top