Reputation: 1
Code bugs in C#
What are the disadvantages of this code :
SqlConnection con = new SqlConnection();
con.ConnectionString = @"Data Source=.\sqlExpress;Initial Catalog=Learn;Integrated Security=True";
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "Insert Into tblUser(name,family,tel)Values('" + txtName.Text + "','" + txtFamily.Text + "','" + txtTel.Text + "')";
cmd.Connection = con;
cmd.CommandType = CommandType.Text;
con.Open();
cmd.ExecuteNonQuery();
con.Close();
Upvotes: 0
Views: 221
Answers (3)
Reputation: 6421
Related to secure coding....
Your code is vulnerable to SQL Injection attacks since you are directly using txtName.text in the code to form a query. Parameterized queries should be used. Additionally, you should validate the txtName.txt before using it. That is it.
Upvotes: 0
Reputation: 86698
One major disadvantage is that you don't quote your strings or use parameterized queries, so somebody who inputs O'Brien for their last name will get an exception.
Of course, that also means that somebody can enter arbitrary SQL into a text box and have you execute it for them. That's bad.
Upvotes: 3
Reputation: 23157
You mean besides the fact that the SqlConnection won't be disposed, and that the SqlCommand is written in such a way as to invite a SQL Injection attack?
Relevant XKCD comic:
Upvotes: 4
Related Questions
- Problems with Windows Forms
- Unknown behaviour in winforms
- C# exceptions and code breaking
- What's up with this C# code?
- Strange things are happening with WindowsFormsApplication C#
- C# windows forms weird behavior
- Errors occur after specific lines of code
- Visual Studio WinForm Bug Or Am I Doing Something Wrong?
- Weird Winforms Bug?
- Bug in Visual Studio, or just a bad idea?