If your code is safe from SQL injections, an attempt to do one shouldn't
result in an error message, as it doesn't cause any error.
The easiest way to prevent SQL injections is to use parameterized
queries. That way the command object takes care of encoding the values
correctly.
Additional security can be achieved by only using stored procedures in
the queries, and limit the database user to only have permission to run
stored procedures. That way it's not even possible to execute an SQL
query using the connection.
ss wrote:
hi,
can anybody gives me a sample code where the sql injection attack is
validated.
how can i do that in business logic layer and pass the error to the
presentation tier
I want the sample code
Thnx,
bye
ss