Reputation: 1125
SqlCommand Parameters Clarification
I was told that if using SqlCommand in C# and if you were to add parameters to that command, that it will add security since it will protect against Sql Injection. I was wondering if this is in fact true. If so, how can it stop Sql Injection because it is my understanding that when using parameters, it just inserts a string at a point in the Sql command. So that string could be anything, making Sql Injection possible, correct?
Upvotes: 0
Views: 230
Answers (1)
Reputation: 43168
It is not a simple replace. The framework will escape send the values, (especially strings), [as a separate part of the RPC call] so that it is impossible for a value to be executed as code.
Thanks to @PanagiotisKanavos for the correction (6 years later).
Upvotes: 3
Related Questions
- Can I still use parameters for sql command?
- Generic way of adding SqlParameter to the SqlCommand
- Is it safe to use DbCommand.CreateParameter?
- Parameters and SQL Injection asp.net
- SQL Command Parameters
- Alternate meaning of SqlCommand's 1st parameter
- Right syntax of SqlParameter
- How does SqlCommand sanitize parameters?
- SqlCommand with parameters as a string
- SQL Table Parameters