Click here to Skip to main content
15,030,744 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi Expert,

I am developing website in csharp asp.net.
I am using Mysql as database.

In Some page i am searching record from database using Textbox txtSearch.

example

C#
string data=txtSearch.Text;

select * from companydetails where company LIKE '%" + data + "%'  or category1 LIKE '%" + data + "' or category2 LIKE '%" + data + "%' 



Is it safe from Sql Injection attack ?

How to prevent it?

Thanks in advance.
Posted
Updated 25-Sep-11 21:23pm
v2

Is it safe from Sql Injection attack
No.


How To: Protect From SQL Injection in ASP.NET[^]
   
Comments
udusat13 26-Sep-11 3:36am
   
Thanksssssssssssssssss.
Dalek Dave 26-Sep-11 4:02am
   
Quite right.
No. It isn't at all safe! What if the user typed:
%';DROP TABLES companydetails;--

Try a parametrized query instead:
SQL
select * from companydetails where company LIKE '%' + @DATA + '%' or category1 LIKE '%' + @DATA + '%' or category2 LIKE '%' + @DATA + '%'
and then provide the @DATA parameter via the SqlCommand.Parameters.AddWithValue method.
   
Comments
udusat13 26-Sep-11 3:37am
   
Thanksssssssssssss..........

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900