Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 612
  • Last Modified:

c# How does SQL Command Paramatized Query Prevent SQL Injection

As title.
I am building an SQL Command like.
SqlCommand cmd = new SqlCommand(Delete from Customers where CustomerID = @CustomerID);

cmd.Parameters.AddWithValue("@CustomerID", CustomerID);

How does this acutally prevent SQL Injection?

If CustomerID was a string and a user entered "BobsCustomerID; drop table Customers"  how is this not a risk with a parametized query.
0
andrewmilner
Asked:
andrewmilner
3 Solutions
 
adatheladCommented:
Because you're not actually executing that as a statement, you're searching for a value in the CustomerID field that has that value.

If you don't use parameterised sql, but instead buld up the SQL adhoc like this:

string sql = "DELETE FROM Customers WHERE CustomerID = '" + userEnteredValue + "'"

Then you are at risk as the user could supply a value that, when concatenated into an SQL statement and executed like this, could have negative affects.
0
 
RiteshShahCommented:
simply because you are adding value of parameter not a part of T-SQL statement in ad-hoc query.
0
 
Anurag ThakurTechnical ManagerCommented:
what you are trying to do will make no impact on sql injection as customerid will be matched with the customer id even if it contains injection attack
here is the link for how to prevent such attacks http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now