Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have created a small survey web page on our company Intranet. This web page is not accessible from the outside.
The form is simply a couple of radio buttons and a comments box.
I would like to maintain good coding practices and would like to guard against SQL Injections.
Can SQL injections happen on a insert statement with comments from the textbox? If so, how can I guard against it using .NET 2.0?
Injection can happen on any SQL statement not run properly.
For example, let’s pretend your comment table has two fields, an integer ID and the comment string. So you’d
INSERTas follows:Consider someone entering the following comment:
If you just put the comment string into the SQL without any processesing this could turn your single
INSERTin to the following two statements followed by a comment:This would delete everything from your
userstable. And there are people willing to spend all day finding the right tablename to empty using trial and error and various tricks. Here’s a description of how you could perform an SQL Injection attack.You need to use parameterized SQL statements to prevent this.
And this isn’t just for security reasons. For example, if you’re creating your SQL statements naively the following comment:
would cause an SQL syntax error because of the apostrophe being interpreted by SQL as a closing quote.