O'Reilly logo

Microsoft® SQL Server™ 2005: Applied Techniques Step by Step by Solid Quality Learning

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Parameters and Security in Dynamic Queries

Creating queries using values entered by the user is a significant security risk, especially if the application is a public Web site, in which case you don’t know who the user is or how much knowledge the user has. If the user knows about SQL syntax, they can break into your database using a technique known as a “SQL-injection” attack.

How SQL-Injection Attacks Work

Let’s consider a very simple example. Imagine a public Web site that lets the user search for products online. In the site, the application allows the user to find products using part of the name, so it builds and uses a simple dynamic query like this:

SqlDataSource1.SelectCommand = _ "SELECT ProductNumber, Name, ListPrice " _ "FROM Production.Product ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required