SQL Injection with queries built client side

I need to know how possile it is  for an SQL injection event to occur when the queries to the database are done on the client side in this manner:

    private string getSQL_AHCCCS()
    {
        string sql = "";
        sql += "    SELECT ";
        sql += "          NULL AS ENRL_BEG_DAT_INT,  ";
        sql += "          NULL AS ENRL_END_DAT_INT,  ";
        sql += "          AcuteMedicalRateCode_CHR AS ACUTE_RATE_CD_CHR,  ";
        sql += "          HealthPlanID_CHR AS ACUTE_HP_ID_CHR,  ";
        sql += "          Name_VAR AS RP_NAME_VAR,  ";
        sql += "          DOB_CHR AS RP_DAT_OF_BIR_INT,  ";
        sql += "          AHCCCSID_CHR AS AHCCCS_ID_CHR,  ";
        sql += "          Gender_CHR AS RP_SEX_CHR  ";
        sql += "    FROM  ";
        sql += "          ADHS.dbo.T_AtRiskPopulation  ";
        sql += "    WHERE  ";
        sql += "          AHCCCSID_CHR = @AHCCCSID ";
        sql += "     ";
        sql += "    ";
        return sql;
    }

Thanks.
TimSweet220Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ivan_vaguninConnect With a Mentor Commented:
Look following documentation - using parameters is safe against sql injection:
http://msdn.microsoft.com/en-us/library/ff648339.aspx#paght000002_step3
0
 
ivan_vaguninCommented:
Hi! First I guess the query is done on server side, not client side. The code posted is safe against sql injection attack - there is no chance to embedded client query in it.
0
 
tim_csCommented:
How will the value of @AHCCCSID be populated?  
0
 
TimSweet220Author Commented:
From variable on the form.
0
 
TimSweet220Author Commented:
Excellent.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.