calypsoworld
asked on
SQL Injection protection mechanism in DataSet
Hi!
I read here (http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx) that the TableAdapter/DataSet designer built-into VS 2005 uses this mechanism automatically, as do the ASP.NET 2.0 data source controls.
How this mechanism works? I can't understand how parametrizing resolves the problem.
For example, if the querystring is waiting a string and the user inserts:
website.com/page.aspx?id=i askdo;DROP DATABASE pubs --
It's still being a string, right? If the user inserts something like this, an exception is raised or nothing happens (just keep the DB safe)?
Thanks in advance!
I read here (http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx) that the TableAdapter/DataSet designer built-into VS 2005 uses this mechanism automatically, as do the ASP.NET 2.0 data source controls.
How this mechanism works? I can't understand how parametrizing resolves the problem.
For example, if the querystring is waiting a string and the user inserts:
website.com/page.aspx?id=i
It's still being a string, right? If the user inserts something like this, an exception is raised or nothing happens (just keep the DB safe)?
Thanks in advance!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, it is all based on parameters. I'm able to create the queries in Designer mode and all the parameters are set as @param1 @param2 etc...
Thank you for the tips using SPROCS, LINQ etc but I'm finishing my project now and I'm just trying to understand what's happening behind the scene in the ''transparent'' mechanisms.
But I'll surely be careful when deciding how to interact with DB in my next project.
Thank you again!
Thank you for the tips using SPROCS, LINQ etc but I'm finishing my project now and I'm just trying to understand what's happening behind the scene in the ''transparent'' mechanisms.
But I'll surely be careful when deciding how to interact with DB in my next project.
Thank you again!
ASKER
So I don't have to do anything to prevent SQL Injection, because I'm using strongly typed DataSet and the protection is already set. Right?
Thanks again!