Click here to Skip to main content
11,705,617 members (45,017 online)
Rate this: bad
Please Sign up or sign in to vote.
See more: General VB.NET
Hi, I'm wondering about this. I have a product table and when I add some product I used this code. Could this be safe in SQL Injection Attack.

Here is my code:

            Dim ta As New sampledbDSTableAdapters.productTableAdapter
            ta.Insert(TextBox1.Text, TextBox2.Text, TextBox3.Text, ComboBox1.SelectedValue)
            Me.DialogResult = Windows.Forms.DialogResult.OK
        Catch ex As Exception
        End Try
Posted 28-Nov-12 21:01pm
Earloc at 29-Nov-12 3:43am
it depends on the implementation of sampledbDSTableAdapters.productTableAdapter.Insert - method

if it is generated, then it most likely will make use of SqlParameters to "inject" your provided values into the Insert-SqlStatement - and therfore should prevent most of the common SqlInjection scenarios.
joshrduncan2012 at 29-Nov-12 9:22am
I agree, my suggestion would be to use Parameterized Queries.
ianshack at 30-Nov-12 22:42pm
thank you all for your ideas.

1 solution

Rate this: bad
Please Sign up or sign in to vote.

Solution 1

On the surface, no, it's not safe. You're passing the values of TextBoxes to some method called .Insert, which probably doesn't scrub those values before putting them into the SQL statement.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 229
1 Sergey Alexandrovich Kryukov 100
2 Inimicos 60
3 ProgramFOX 50
4 Richard MacCutchan 45
0 OriginalGriff 9,053
1 Sergey Alexandrovich Kryukov 8,347
2 CPallini 5,189
3 Maciej Los 4,726
4 Mika Wendelius 3,626

Advertise | Privacy | Mobile
Web01 | 2.8.150819.1 | Last Updated 29 Nov 2012
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100