Solved

c# How does SQL Command Paramatized Query Prevent SQL Injection

Posted on 2009-05-05
3
591 Views
Last Modified: 2012-05-06
As title.
I am building an SQL Command like.
SqlCommand cmd = new SqlCommand(Delete from Customers where CustomerID = @CustomerID);

cmd.Parameters.AddWithValue("@CustomerID", CustomerID);

How does this acutally prevent SQL Injection?

If CustomerID was a string and a user entered "BobsCustomerID; drop table Customers"  how is this not a risk with a parametized query.
0
Comment
Question by:andrewmilner
3 Comments
 
LVL 23

Accepted Solution

by:
adathelad earned 200 total points
ID: 24303921
Because you're not actually executing that as a statement, you're searching for a value in the CustomerID field that has that value.

If you don't use parameterised sql, but instead buld up the SQL adhoc like this:

string sql = "DELETE FROM Customers WHERE CustomerID = '" + userEnteredValue + "'"

Then you are at risk as the user could supply a value that, when concatenated into an SQL statement and executed like this, could have negative affects.
0
 
LVL 31

Assisted Solution

by:RiteshShah
RiteshShah earned 150 total points
ID: 24303938
simply because you are adding value of parameter not a part of T-SQL statement in ad-hoc query.
0
 
LVL 26

Assisted Solution

by:Anurag Thakur
Anurag Thakur earned 150 total points
ID: 24304030
what you are trying to do will make no impact on sql injection as customerid will be matched with the customer id even if it contains injection attack
here is the link for how to prevent such attacks http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that undeā€¦
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now