Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C#
hi!

i want user can enter single cot(')in textbox.
i m using SQL yog but it display error as the insert query become
('dgfd dfg ddf_'','','',8) u can see here actually there are for paramerte but it shows error
Posted 3-Jun-09 21:15pm
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Your application is wide open for SQL injection attacks.

Please instruct your users not to enter this in the text field:
','','',8);drop table Users;--

Alternatively, you can correct the code. Use parameterised queries instead of concatenating the data into the query.

  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

well the solution you should take, and not just to solve you issue but make it more secure, is to use parameters[^] with the sql queries

  Permalink  
  Print Answers RSS
0 OriginalGriff 321
1 Sergey Alexandrovich Kryukov 286
2 RyanDev 75
3 PhilLenoir 70
4 nv3 60
0 Sergey Alexandrovich Kryukov 6,691
1 OriginalGriff 6,119
2 CPallini 2,473
3 Richard MacCutchan 1,697
4 Abhinav S 1,560


Advertise | Privacy | Mobile
Web02 | 2.8.140821.2 | Last Updated 4 Jun 2009
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100