Does using parameterized SqlCommand make my program immune to SQL injection?
I\'m aware that SQL injection is rather dangerous. Now in my C# code I compose parameterized queries with SqlCommand class:
SqlCommand command = ...;
command
-
SQL Injection is mostly dependent on execution of dynamic SQL. In other words, SQL statements constructed by the concatenation of SQL with user-entered values.
To avoid SQL Injection completely,
Protecting yourself against SQL injection attacks is not very difficult. Applications that are immune to SQL injection attacks validate and sanitize all user input, never use dynamic SQL, execute using an account with few privileges, hash or encrypt their secrets, and present error messages that reveal little if no useful information to the hacker. By following a multi-layered approach to prevention you can be assured that if one defense is circumvented, you will still be protected.
From MSDN
![[愿得一人]](https://www.e-learn.cn/qa/data/avatar/000/00/00/small_000000012.jpg)
加载中...
- 热议问题