Parameters and Security in Dynamic Queries
Creating queries using values entered by the user is a significant security risk, especially if the application is a public Web site, in which case you don’t know who the user is or how much knowledge the user has. If the user knows about SQL syntax, they can break into your database using a technique known as a “SQL-injection” attack.
How SQL-Injection Attacks Work
Let’s consider a very simple example. Imagine a public Web site that lets the user search for products online. In the site, the application allows the user to find products using part of the name, so it builds and uses a simple dynamic query like this:
SqlDataSource1.SelectCommand = _ "SELECT ProductNumber, Name, ListPrice " _ "FROM Production.Product ...
Get Microsoft® SQL Server™ 2005: Applied Techniques Step by Step now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.