Chapter 11
A Deeper Dive Into Data Access
What you will learn in this chapter:
- Secure data access
- How to develop forms for CRUD
- How to display data using the WebGrid helper
The previous chapter provided you with an introduction to databases, Structured Query Language, and the Database Helper. The last exercise provided a glimpse at how these three things come together with a web page to provide the true basis of dynamic web development: that which relies on the contents of a database to make it current and specific to the user.
You saw that you can filter data with a WHERE clause. The next step is to provide your visitors with the ability to create their own filters, or choose the order in which they can view data, or indeed how much they want to see. Since SQL commands are strings, and as you learned in Chapter 4, strings can be constructed dynamically, this opens the door to a means by which you can provide your users with a way to personalize their data access. However, as with all things powerful, there are potential dangers that you need to manage. But first, you need to understand the potential dangers.
What Is SQL Injection?
Simply stated, SQL injection is a technique whereby a malicious user injects a SQL command with additional legitimate SQL syntax that alters the intended behaviour of the command, and potentially compromises the security of the application that makes use of the SQL command. You may well be scratching your head at the moment, and trying to read that ...