Solved

c# How does SQL Command Paramatized Query Prevent SQL Injection

Posted on 2009-05-05
3
594 Views
Last Modified: 2012-05-06
As title.
I am building an SQL Command like.
SqlCommand cmd = new SqlCommand(Delete from Customers where CustomerID = @CustomerID);

cmd.Parameters.AddWithValue("@CustomerID", CustomerID);

How does this acutally prevent SQL Injection?

If CustomerID was a string and a user entered "BobsCustomerID; drop table Customers"  how is this not a risk with a parametized query.
0
Comment
Question by:andrewmilner
3 Comments
 
LVL 23

Accepted Solution

by:
adathelad earned 200 total points
ID: 24303921
Because you're not actually executing that as a statement, you're searching for a value in the CustomerID field that has that value.

If you don't use parameterised sql, but instead buld up the SQL adhoc like this:

string sql = "DELETE FROM Customers WHERE CustomerID = '" + userEnteredValue + "'"

Then you are at risk as the user could supply a value that, when concatenated into an SQL statement and executed like this, could have negative affects.
0
 
LVL 31

Assisted Solution

by:RiteshShah
RiteshShah earned 150 total points
ID: 24303938
simply because you are adding value of parameter not a part of T-SQL statement in ad-hoc query.
0
 
LVL 26

Assisted Solution

by:Anurag Thakur
Anurag Thakur earned 150 total points
ID: 24304030
what you are trying to do will make no impact on sql injection as customerid will be matched with the customer id even if it contains injection attack
here is the link for how to prevent such attacks http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question