Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C#
hi!

i want user can enter single cot(')in textbox.
i m using SQL yog but it display error as the insert query become
('dgfd dfg ddf_'','','',8) u can see here actually there are for paramerte but it shows error
Posted 3-Jun-09 21:15pm
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Your application is wide open for SQL injection attacks.

Please instruct your users not to enter this in the text field:
','','',8);drop table Users;--

Alternatively, you can correct the code. Use parameterised queries instead of concatenating the data into the query.

  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

well the solution you should take, and not just to solve you issue but make it more secure, is to use parameters[^] with the sql queries

  Permalink  


Advertise | Privacy | Mobile
Web01 | 2.8.140926.1 | Last Updated 4 Jun 2009
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100