Click here to Skip to main content
16,023,124 members
Search within:


Secure SQL Queries
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
SQL
.NET
Hi,
In my project I am using SQL queries like this
But you already informed me that these queries not secure at all, then what is the secure sql query.
How can give the right to user to enter the statename

Pls send me any example for secure queries for inserting data by the user



try
{



String str2 = "select code from state where code='" + this.txtstatecode.Text + "'";
SqlCommand cmd1 = new SqlCommand();
cmd1.CommandText = str2;
cmd1.Connection = conn;
//cmd.ExecuteNonQuery();
SqlDataReader rd = cmd1.ExecuteReader();
//stem.Windows.MessageBox.Show(rd.Read().ToString ());
if (rd.Read())
{
System.Windows.MessageBox.Show("Record already existing");

}
else
{
String str = "insert into State(Code,Name)values ('" + this.txtstatecode.Text + "','" + this.txtstatename.Text + "')";
//if rdr.GetString ()


cmd1.CommandText = str;
cmd1.Connection = conn;
cmd1.ExecuteNonQuery();

//System.Windows.MessageBox.Show("Data Inserted Successfully");
//cmd.Connection = conn;

DataTable dt = new DataTable();
String str1 = "select code,name from State";// where code='" + this.txtstatecode.Text + "'";
cmd1.Connection = conn;
cmd1.CommandType = CommandType.Text;
cmd1.CommandText = str1;
SqlDataAdapter adp = new SqlDataAdapter(cmd1);
SqlCommandBuilder cb = new SqlCommandBuilder(adp);
/* paste here */
adp.Fill(dt);
bs.DataSource = dt;
statedg5.ItemsSource = bs;
adp.Update(dt);
this.statedg5.Items.Refresh();
// rd.Close();
}

}
catch (Exception e1)
{
System.Windows.MessageBox.Show(e1.Message);
}
Posted
Add a Solution

2 solutions

you should use SqlCommand object for executing sql query. Pass the values as parameters to the SqlCommand object. try search engines for help. And have a look at following.

Reasons I'd fire anyone who wrote this code for me

1 - hard coded connection string
2 - SQL code in presentation layer
3 - lack of any sort of database security, esp in what looks like an account creation page, which anyone could presumably access and thus erase or hack the entire DB
4 - the password for the database is abc
5 - using an integer for a boolean flag
6 - this method does several things, which should be refactored into different methods
7 - using Response.Write to communicate with the user instead of setting text in a properly styled and positioned control
by Christian Graus
 
Share this answer
 
Posted
When you combine strings to pass parameters to a query like this:
C#
String str2 = "select code from state where code='" + this.txtstatecode.Text + "'";

You open yourself up to SQL injection attacks. Instead, pass parameters to the command like this:
C#
String str2 = "select code from state where code=@StateCode";
SqlCommand cmd1 = new SqlCommand();
cmd1.Parameters.Add(new SqlParameter("StateCode", this.txtstatecode.Text));

Escaping and such will be handled by the .Net Framework. That way, you will not open yourself up to SQL injection attacks.
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Secure way way to perform SQL query in C# class library?
Sql - merge 2 queries into 1
Convert the linq query to SQL query
Sql query syntax error
Sql Injection -Security Threat
Security for asp.net application
Convert SQL query to C# LINQ qu
Monitor SQL activity for executed query
Convert SQL query to KQL
How to write SQL query format in C#


Privacy
Cookies
Terms of Use
Last Updated 19 Jan 2010
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-10-17:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900