Home/ Questions/Q 6010307
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T02:05:51+00:00

I am new to sql, and I try to do manipulation on data with

  • 0

I am new to sql, and I try to do manipulation on data with inline /in-code sql commands. However, I know that u need to write a lot of code sometimes in trans-sql.. When i write it,, then people say it is subject to sql injections. Then I dont know what to do…

What would be easier for me to do taking into account that i am not an expert on databases programming. Should i use Stored procedures or inline text. And how do i pass parameters to stored procedures? (e.g if i have an input from a textbox).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Let’s take an example to Login a user:

    the normal query would be something like

    SELECT name, lastLogin 
FROM [tblUsers] 
where username = 'balexandre' AND password = 'veryhard';

    when putting this into code, it would be kind’a

    using (SqlConnection connection = new SqlConnection(connectionString)) { 

    DataSet userDataset = new DataSet(); 

    string query = "SELECT name, lastLogin FROM [tblUsers] where username = '" + txtUser.Text.Trim() + "' AND password = '" + txtPassword.Text.Trim() + "'";

    SqlDataAdapter myCommand = new SqlDataAdapter(query, connection);
    myCommand.Fill(userDataset); 
}

    But this will not prevent SQL Injection, as, try to imagine what happen if I add in the username textbox something like % and in the password textbox something like ' OR 1=1-- or just ' OR 1=1-- in the username textbox. This would be valid as: 1 is a matter of fact equal to 1 and I would be logged in…

    the passed Query would be like:

    SELECT name, lastLogin 
FROM [tblUsers] 
where username = '' OR 1=1 --' AND password = '';

    You get it, right?

    But if we use parameters in our query, this will never happen, like this:

    using (SqlConnection connection = new SqlConnection(connectionString)) { 

    DataSet userDataset = new DataSet(); 

    string query = "SELECT name, lastLogin FROM [tblUsers] where username = @username AND password = @password";
    SqlDataAdapter myCommand = new SqlDataAdapter(query, connection);

    myCommand.SelectCommand.Parameters.Add("@username", SqlDbType.VarChar, 30); 
    myCommand.SelectCommand.Parameters["@username"].Value = txtUser.Text.Trim(); 

    myCommand.SelectCommand.Parameters.Add("@password", SqlDbType.VarChar, 30); 
    myCommand.SelectCommand.Parameters["@password"].Value = txtPassword.Text.Trim(); 

    myCommand.Fill(userDataset); 
}

    Samething if you want to use Store Procedures:

    using (SqlConnection connection = new SqlConnection(connectionString)) { 

    DataSet userDataset = new DataSet(); 

    string query = "spGetUser";
    SqlDataAdapter myCommand = new SqlDataAdapter(query, connection);
    myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; 

    myCommand.SelectCommand.Parameters.Add("@username", SqlDbType.VarChar, 30); 
    myCommand.SelectCommand.Parameters["@username"].Value = txtUser.Text.Trim(); 

    myCommand.SelectCommand.Parameters.Add("@password", SqlDbType.VarChar, 30); 
    myCommand.SelectCommand.Parameters["@password"].Value = txtPassword.Text.Trim(); 

    myCommand.Fill(userDataset); 
}

    Nowdays, you can avoid to think in all of this if you work and use something like a Database ORM (Object-relational mapping) that, instead of righting all the SQL stuff and worry about this, the Framework will take care of all known actions for you.

    One of the most used Databases ORM is NHibernate and ADO Entity Framework.

    You can use LINQ queries with this and your call would be like:

    public User GetUser(string username, string password)
{
    return _db.Users.FirstOrDefault(x => x.User == username && x.Password == password);
}

    and if you had a Store Procedure, it’s the same (the example below just shows another way to call it)

    public User GetUser(string username, string password)
{
    return (from u in _db.spGetUser(username, password)
            select u).FirstOrDefault();                
}

    And you don’t need to think about, caching, injection, concurrency, etc …

    • 0