Home/ Questions/Q 901465
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T15:33:31+00:00

As the title says, if I’m using SQL parameters, ie SQLCommand cmd = new

  • 0

As the title says, if I’m using SQL parameters, ie

SQLCommand cmd = new SQLCommand("select * from users where username = @user and password = @pass limit 1", Cxn);

cmd.Parameters.Add("@user", SqlDbType.VarChar):
cmd.Parameters.Add("@pass", SqlDbType.VarChar):

Can I just enter the parameters value as the direct entry from the input?

cmd.Parameters["@user"].value = txtBxUserName.text;
cmd.Parameters["@pass"].value = txtBxPassword.text;

That’s what seems to be suggested whenver you look for anything to do with escaping string etc, the end answer is to just let the parameter binding do it. But will that protect against injection attacks and the like? Or do you still need to perform some server side validation?

Coming from a heavily orientated PHP background it goes against every fibre of my body to directly enter text into a query :p

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The example you’ve given is safe in terms of SQL Injection. The only potential SQL Injection problem with parameterized queries is if they address a proc which itself uses dynamic SQL.

    Of course, you still have to think about XSS exploits whether you’re parameterizing or not.

    • 0