By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,136 Members | 1,267 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,136 IT Pros & Developers. It's quick & easy.

parameterized querry in .net

P: 41
i came across a article, where it was mentioned if we want a dynamic querry to fire then use parameterized querry
e.g.
string inputcity=textbox.text;
SqlCommand cmd = new SqlCommand("select * from Customers where city=
'" + inputCity + " ' ";
Don't ever build a query this way!


as this leads to hacking.
instaed do it like this:

SqlCommand cmd = new SqlCommand("select * from Customers where city = @City", conn);
SqlParameter param = new SqlParameter();
param.ParameterName = "@City";
param.Value = inputCity;
cmd.Parameters.Add(param);

do u really think hacking problem can b solved using parameterized querry.If yes plz tell me, how hacking prob is solved .

thnx in advance
Feb 26 '08 #1
Share this Question
Share on Google+
2 Replies


debasisdas
Expert 5K+
P: 8,127
Parameterized query is Ok but i don't understand how that is related to hacking .
Feb 26 '08 #2

P: 41
in above ecample author said case1 is wrong way of implementation because:


The input variable, inputCity, is typically retrieved from a TextBox control on either a Windows form or a Web Page. Anything placed into that TextBox control will be put into inputCity and added to your SQL string. This situation invites a hacker to replace that string with something malicious. In the worst case, you could give full control of your computer away.

but i think same chances r there when we use parameterized querry.
Feb 26 '08 #3

Post your reply

Sign in to post your reply or Sign up for a free account.