Home/ Questions/Q 9231315
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T06:02:12+00:00

I’m a new in the world of coding, I built a large web site

  • 0

I’m a new in the world of coding,

I built a large web site with several textboxes, so now i figure out that I’ve been using a dangerous method of inserting data in the SQL server by some thing like this:

 execSQL("insert into Dossier(ID_Dossier,Nom_Giac) values(" & id_dossier.text & "," Nom_gaic.text & "')")

     Public Function execSQL(ByVal req As String, Optional ByVal type As String = "r")
            cmd = New SqlCommand
            cmd.CommandText = req
            cmd.Connection = con
            openCon()
            If type = "r" Then
                Return cmd.ExecuteReader(CommandBehavior.CloseConnection)
            Else
                Return cmd.ExecuteNonQuery
            End If

        End Function

I just want to know if Using LINQ to SQL can help solve this problem in my entire web site.
and to use it , i’m flowing this course :

http://www.upsizing.co.uk/Art34_IntergratingASPSecurity.aspx

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I just want to know if Using LINQ to SQL can help solve this problem in my entire web site.

    Technically it will because internally it will deal with all the parameter sanatization your queries currently lack, however, that’s not to say you can’t solve your problem using the code you already have. All you need to do is update your queries to use SqlParameters e.g.

    command.CommandText = "INSERT INTO Dossier(ID_Dossier,Nom_Giac) values(@id, @giac)"
command.Parameters.AddWithValue("@id" , id_dossier.Text))
command.Parameters.AddWithValue("@giac", Nom_giac.Text))
    • 0