.net - Algorithm to avoid SQL injection on MSSQL Server from C# code?

Question

Welcome To Ask or Share your Answers For Others

.net - Algorithm to avoid SQL injection on MSSQL Server from C# code?

1 Reply

深蓝 · Answer 1 · 2021-10-17T00:46:15+0000

There's no algorithm needed - just don't use string concatenation to build SQL statements. Use the SqlCommand.Parameters collection instead. This does all the necessary escaping of values (such as replacing ' with '') and ensures the command will be safe because somebody else (i.e. Microsoft) has done all the testing.

e.g. calling a stored procedure:

using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand("MySprocName", connection))
{
    command.CommandType = CommandType.StoredProcedure;
    command.Parameters.AddWithValue("@Param1", param1Value);
    return command.ExecuteReader();
}

This technique also works for inline SQL statements, e.g.

var sql = "SELECT * FROM MyTable WHERE MyColumn = @Param1";
using (var connection = new SqlConnection("..."))
using (var command = new SqlCommand(sql, connection))
{
    command.Parameters.AddWithValue("@Param1", param1Value);
    return command.ExecuteReader();
}

Categories

.net - Algorithm to avoid SQL injection on MSSQL Server from C# code?

.net - Algorithm to avoid SQL injection on MSSQL Server from C# code?

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags