I’m having a conceptual problem. I have this asp.net page to manage code snippets. Now I would like to add tags to this snippet before submitting it. Something like you can do with stackoverflow. I’m wondering how I should go about to do this?
I thought about a hiddentextbox, which is filled in by jquery when a user selects a value from a dropdown list, seperated by “;”, which could be read and seperated serverside. But this is vulnerable to tinkering i guess?
Is there any proper way to do this?
I understant that your main concern is that your approach is vulnerable to sql injection.
The approach you described is very common and used frequently and by itself is not causing any sql injection vulnerabilty.
It all depends how is your server side code is implemented. In case you will write plain text sql queries (like var sql = “insert into mytable values(” + param1 + “)) than you will have sql injection risk.
If you will use sql commands with parameters, Linq2SQL, Entity Framework or any approach that not building sql queries as I mentioned above, you have nothing to fear of.
Enjoy!