O'Reilly logo

Microsoft® Visual Basic® .NET Programmer's Cookbook by Matthew MacDonald

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Protect Against SQL Injection Attacks

Problem

You want to reduce the opportunity for attackers to submit malicious SQL code in command parameter values.

Solution

Use a parameterized query.

Discussion

Many applications build SQL commands dynamically by parsing the pieces together into a large string. This approach poses problems when dealing with binary data, and it also raises the possibility that an attacker can execute malicious SQL code by "injecting" it along with a parameter value. This malicious code could be used to tamper with information in the database or even launch another application on the server. You can read some frightening examples for different database servers on the Open Web Application Security Project Web site at http://www.owasp.org/asac/input_validation/sql.shtml ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required