Solved

c# How does SQL Command Paramatized Query Prevent SQL Injection

Posted on 2009-05-05
3
588 Views
Last Modified: 2012-05-06
As title.
I am building an SQL Command like.
SqlCommand cmd = new SqlCommand(Delete from Customers where CustomerID = @CustomerID);

cmd.Parameters.AddWithValue("@CustomerID", CustomerID);

How does this acutally prevent SQL Injection?

If CustomerID was a string and a user entered "BobsCustomerID; drop table Customers"  how is this not a risk with a parametized query.
0
Comment
Question by:andrewmilner
3 Comments
 
LVL 23

Accepted Solution

by:
adathelad earned 200 total points
ID: 24303921
Because you're not actually executing that as a statement, you're searching for a value in the CustomerID field that has that value.

If you don't use parameterised sql, but instead buld up the SQL adhoc like this:

string sql = "DELETE FROM Customers WHERE CustomerID = '" + userEnteredValue + "'"

Then you are at risk as the user could supply a value that, when concatenated into an SQL statement and executed like this, could have negative affects.
0
 
LVL 31

Assisted Solution

by:RiteshShah
RiteshShah earned 150 total points
ID: 24303938
simply because you are adding value of parameter not a part of T-SQL statement in ad-hoc query.
0
 
LVL 26

Assisted Solution

by:Anurag Thakur
Anurag Thakur earned 150 total points
ID: 24304030
what you are trying to do will make no impact on sql injection as customerid will be matched with the customer id even if it contains injection attack
here is the link for how to prevent such attacks http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now