?
Solved

c# How does SQL Command Paramatized Query Prevent SQL Injection

Posted on 2009-05-05
3
Medium Priority
?
608 Views
Last Modified: 2012-05-06
As title.
I am building an SQL Command like.
SqlCommand cmd = new SqlCommand(Delete from Customers where CustomerID = @CustomerID);

cmd.Parameters.AddWithValue("@CustomerID", CustomerID);

How does this acutally prevent SQL Injection?

If CustomerID was a string and a user entered "BobsCustomerID; drop table Customers"  how is this not a risk with a parametized query.
0
Comment
Question by:andrewmilner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 23

Accepted Solution

by:
adathelad earned 800 total points
ID: 24303921
Because you're not actually executing that as a statement, you're searching for a value in the CustomerID field that has that value.

If you don't use parameterised sql, but instead buld up the SQL adhoc like this:

string sql = "DELETE FROM Customers WHERE CustomerID = '" + userEnteredValue + "'"

Then you are at risk as the user could supply a value that, when concatenated into an SQL statement and executed like this, could have negative affects.
0
 
LVL 31

Assisted Solution

by:RiteshShah
RiteshShah earned 600 total points
ID: 24303938
simply because you are adding value of parameter not a part of T-SQL statement in ad-hoc query.
0
 
LVL 26

Assisted Solution

by:Anurag Thakur
Anurag Thakur earned 600 total points
ID: 24304030
what you are trying to do will make no impact on sql injection as customerid will be matched with the customer id even if it contains injection attack
here is the link for how to prevent such attacks http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question