Thursday, June 22, 2006

 

SQL Injection Attacks

Ways to prevent SQL Injection Attacks

A few ways to avoid SQL Injection attacks.

In .Net

Instead of

using( SqlConnection con = (acquire connection) ) {
con.Open();
using( SqlCommand cmd = new SqlCommand("SELECT * FROM users WHERE name = '" + userName + "'", con) ) {
using( SqlDataReader rdr = cmd.ExecuteReader() ){
...
}
}
}


Use the following

using( SqlConnection con = (acquire connection) ) {
con.Open();
using( SqlCommand cmd = new SqlCommand("SELECT * FROM users WHERE name = @userName", con) ) {

cmd.Parameters.Add("@userName", userName);

using( SqlDataReader rdr = cmd.ExecuteReader() ){
...
}
}
}

In Java.

Instead of

Connection con = (acquire Connection)
Statement stmt = con.createStatement();
ResultSet rset = stmt.executeQuery("SELECT * FROM users WHERE name = '" + userName + "';");


Use the following

Connection con = (acquire Connection)
PreparedStatement pstmt = con.prepareStatement("SELECT * FROM users WHERE name = ?");
pstmt.setString(1, userName);
ResultSet rset = pstmt.executeQuery();

# posted by The Fighting Illini @ 9:31 PM
Comments:
Hey nice blog. Although it�s not what I was looking for. I am looking for info on Payday Loans or a Cash Advance so I can buy some Hoodia Diet Pills.. I found your blog very interesting
# posted by Blogger No Hassle Loans : 1:45 AM
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?