Chapter 5. Data in a Web Service

Writing a web service doesn’t have to be a difficult or frustrating experience. I know many people, including myself, who struggled with writing one the first time. The challenge is more around understanding how different data types are returned and then taking care of the data access. I have written a simple example that will give you a great start toward writing one that will meet your needs.

The first thing that I want to cover is something called an SQL Injection Attack. When you are accepting input from users on the Web (really anywhere, but particularly on the Web), you need to be sure that you are taking precautions to avoid an SQL Injection Attack. In basic terms, if you are building an SQL Query String dynamically based on user input, a user can enter in text, end the first statement, then enter in malicious code (drop a table, overwrite data, etc.), and then put in a comment marker that would make SQL Server ignore the rest of the statement.

So, while you may be tempted to take user input in a variable—which for now we’ll call x—and concatenate it within your string, you should avoid doing that at all times. Here’s what it might look like in that example:

string x = (input from the user)
string sqlstr = "Select * from tbl_Test Where Product = '" + x + "'"

If you did that and someone targeted your site, all your data could be deleted. There are two steps that you can take to keep from being attacked in this manner. The first thing you can do ...

Get C# Database Basics now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.