Monday, July 4, 2011

ADO.NET : Preventing SQL injection attacks

Use Sqlparameter data-related class to help in preventing SQL injection attacks.

We should avoid Dynamic SQL like this

string strQry = "SELECT Count(*) FROM Users WHERE UserName='" +
txtUser.Text + "' AND Password='" + txtPassword.Text + "'";

because if user enter Username name value likely ' Or 1=1 -- then it return true what ever the value we have in password.

No comments:

Post a Comment