Getting ado.net query's sql injection free

Question

0.00/5 (No votes)

See more:

Hello everyone,

im pretty new using ado.net for connecting to a database, but im totally new to getting my query's sql injection proof, i'am using it like this,

C#

OleDbConnection dbcon = new OleDbConnection();
OleDbDataReader dr;
dbcon.connectionstring = ....connection string setup;
OleDbCommand dbc = new OleDbCommand("SELECT * FROM test WHERE id=@id", dbcon);
cmd.Parameters.AddWithValue("@id",id);
dr = dbc.ExecuteReader();
while (dr.Read())
{
  ...code here
}

but i dont know exactually in wich situations you need to do this.

1. all the query's such as: insert,select,update,delete.
2. only query's wich requires user input from textboxes for example.

And before i used the parameters i could see the litteral input when i was debugging my code by watching the dbc.Commandtext, but now its just filled with the placeholders like @id etc.

Is there any way i can see the litteral query with the real value's?

Thanks in advance.

Posted 5-Apr-13 7:42am

timouwerkerk

Updated 5-Apr-13 7:44am

Kenneth Haugland

v2

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2013-04-05T07:49:00

Basically, you need to use parametrized statements: http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements[^].

Please see my past answers for some more detail:
hi name is not displaying in name?[^],
EROR IN UPATE in com.ExecuteNonQuery();[^].

Here is a good illustration of SQL injection: http://xkcd.com/327/[^] :-).

—SA

AspDotNetDev · Answer 2 · 2013-04-05T07:53:00

You can use SQL Profiler (a tool you run to see all queries executed against a database) to see the literal query and values. Though, you will find that the query may even be sent to the server parameterized, followed by some statements that pass in the values of the parameters.

Yes, all queries that take parameters should use parameterized queries. Never do string concatenation. There is usually no good reason to ever do manual string concatenation.

If you decided to use an ORM (NHibernate, Entity Framework), you may not even see the query... they will be built and parameterized for you. This is another good reason to use SQL Profiler.

Getting ado.net query's sql injection free

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0