Reputation: 951
prevent sql injection
Is there a way to prevent sql injection by using stored procedures?
I have a sql query as
select column name from table where field ='@value'
cmd.parameters.add('@value', value);
I am using parameterized queries with least privileges. How can i write a basic stored procedure to prevent an sql injection. Is that possible?
Upvotes: 3
Views: 835
Answers (4)
Reputation: 725
C#
cmd.parameters.Add("?value", value);
is deprecated
to update for @Yogesh Bhadauirya stated,
cmd.Parameters.AddWithValue("?value", value);
Upvotes: 0
Reputation: 86775
If you're using parameterised queries, you should not need the quotes around @value (@value instead of '@value'), provided the @value parameter is defined as a string.
Creating a stored procedure works in the same kind of way. @value would be defined as a VARCHAR or something, and so only accept strings. Then you reference @value rather than '@value' in the stored procedure.
CREATE PROCEDURE my_proc (IN @value VARCHAR(32))
BEGIN
SELECT column name FROM table WHERE field = @value
END
Upvotes: 2
Reputation: 1235
select column name from table where field =@value
cmd.parameters.add('@value', value);
SQL Parameters avoid the sql injection problem.
You just need to change the = condition with parameter. check above query.
Upvotes: 7
Reputation: 331
Using parameterized queries alone should already prevent sql injection attacks as far as I am aware.
Upvotes: 6
Related Questions
- How to prevent SQL Injection in this code?
- Prevent injection in queries with execute
- Prevent SQL Injections
- SQL Injection Prevention
- SQL Injection Prevention in .NET
- This code for preventing MySQL injection is good?
- Prevent SQL Injection in SELECT statement
- Database injection prevention c#
- preventing my application from sql injection?