Scott
Reputation: 4200
Database injection prevention c#
public ActionResult PostMessage(string message)
{
MessageController mc = new MessageController();
mc.postMessage(message);
}
What can I do here to prevent SQL injection in this string? This is the only input the user is given on the entire page. I am familiar with the some PHP techniques, but how would I protect myself in c#?
Thanks!
edit:
connection.Open();
SqlCommand command = new SqlCommand("[dbo].[tblMessages_Insert]", connection);
command.CommandType = CommandType.StoredProcedure;
// params
SqlParameter messageText = new SqlParameter("@messageText", SqlDbType.VarChar);
messageText.Value = message;
// add params
command.Parameters.Add(messageText);
rows = command.ExecuteNonQuery();
Upvotes: 0
Views: 319
Answers (1)
Giovanni Galbo
Reputation: 13081
It seems to me that you're already protecting against injection; you're using parameters.
Upvotes: 3
Related Questions
- prevent sql injection
- Prevent SQL Injections
- how to prevent an SQL Injection Attack?
- SQL Injection Prevention in .NET
- This code for preventing MySQL injection is good?
- how to prevent SQL Injection in a asp.net website
- preventing my application from sql injection?
- Ways and techniques to get defense from SQL-injections
- Algorithm to avoid SQL injection on MSSQL Server from C# code?