Reputation: 3650
Using SqlParameter can avoid sql injection totally?
If I need to insert data into a table, using SqlParameter is a best choice. But I heard someone said that SqlParameter still has some defects in SQL injection. The proof is contacting a sql string and running exec command. In this case ,there are still some risks in SQL injection.
But my question is that if I use the SqlParameter only to insert data into table without exec command, do I still have the risks in SQL injection?
Upvotes: 0
Views: 679
Answers (2)
Reputation: 157981
Yes, as long as you can use a parameter for the every statement added to a query dynamically.
Too bad, most frameworks doesn't allow you so, but for a few simple datatypes only.
Upvotes: 1
Reputation: 127603
The problem with the exec example is you are running two queries. The first query builds a 2nd sql string using concationation, then the 2nd query is executed.
As long as you keep your command and your data channels separate (keeping the query that will be performed independent of the the value of the variables the query will run against) you can not have SQL Injection (as the definition of SQL Injection is using the data channel to slip something in to the command channel)
Upvotes: 1
Related Questions
- Avoiding SQL injection without parameters
- Parameters and SQL Injection asp.net
- Avoiding SQL injection using a non parameterised query
- SQL Injection with Parameterized Queries in ASP.NET
- Preventing SQL injection - but without parameters
- How to avoid SQL injection
- Inserting into DB with parameters safe from SQL injection?
- prevent sql-injection in asp.net
- C# and SQL parameters to prevent injections
- Are Parameters really enough to prevent Sql injections?