Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Oct 05, 2009 11:29 AM by slavik118
Dec 19, 2004 03:32 PM|LINK
string sql = "SELECT * FROM Products WHERE Category=" + cat;
1; DROP TABLE Products; --
SELECT * FROM Products WHERE Category=1; DROP TABLE Products; --
string query = "SELECT * FROM Products WHERE Category=@Category";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.Add("@Category", SqlDbType.NVarChar, 50);
cmd.Parameters["@Category"].Value = cat;
Mar 07, 2008 07:44 AM|LINK
Here is my article on this:
Author: ASP.NET Data Presentation Controls Essentials (Packt Publishing)
Apr 10, 2008 02:25 PM|LINK
it is a nice for list this topic, if you could post a vidoe stuff to explain what you did here, it will be great !
Apr 12, 2008 07:53 PM|LINK
always use sql helper n oracle helper to be in touch wid any database.
error handling is easy n less eror pron.
bind parameters with command object.
n use properties to avoid sql injection.
Apr 12, 2008 08:03 PM|LINK
Why not write up your notes into an article for www.codeproject.com?
Apr 13, 2008 06:08 AM|LINK
also avoid the 'exec' sql command
Apr 13, 2008 03:48 PM|LINK
exec in and of itself is not necessarily unsafe. rather it is how exec is used that can open you up to injection attacks.
Jul 22, 2008 11:10 AM|LINK
There is an excellant article on SQL Injection attacks at
Like you I wish there some guidance on hack strings, so we can include them in the general abuse we include in test scripts.
Jul 22, 2008 10:13 PM|LINK
Thanks for the link. Just to make sure - we need to add the information into web.config file for <system.web>, right?
Jul 23, 2008 05:09 AM|LINK
Naom>Just to make sure - we need to add the information into web.config file for <system.web>
Which information please?