Click here to Skip to main content
13,249,174 members (33,524 online)
Rate this:
 
Please Sign up or sign in to vote.
See more:
Hi, I'm wondering about this. I have a product table and when I add some product I used this code. Could this be safe in SQL Injection Attack.

Here is my code:

Try
 
            Dim ta As New sampledbDSTableAdapters.productTableAdapter
            ta.Insert(TextBox1.Text, TextBox2.Text, TextBox3.Text, ComboBox1.SelectedValue)
 
            Me.DialogResult = Windows.Forms.DialogResult.OK
        Catch ex As Exception
 
            MsgBox(ex.Message)
            TextBox1.Focus()
        End Try
Posted 28-Nov-12 22:01pm
Comments
Earloc 29-Nov-12 3:43am
   
it depends on the implementation of sampledbDSTableAdapters.productTableAdapter.Insert - method

if it is generated, then it most likely will make use of SqlParameters to "inject" your provided values into the Insert-SqlStatement - and therfore should prevent most of the common SqlInjection scenarios.
joshrduncan2012 29-Nov-12 9:22am
   
I agree, my suggestion would be to use Parameterized Queries.
ianshack 30-Nov-12 22:42pm
   
thank you all for your ideas.

1 solution

Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 1

On the surface, no, it's not safe. You're passing the values of TextBoxes to some method called .Insert, which probably doesn't scrub those values before putting them into the SQL statement.
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy |
Web01 | 2.8.171114.1 | Last Updated 29 Nov 2012
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100