SQL Injection in .NET

Question

Hi I was wondering if anyone knew of some good websites detailing prevention for SQL injection for .NET web applications. Any resources would be greatly appricated, thank you.

Answer 1

I think that, if you google a bit on 'preventing sql injection in .NET', you'll find lots of good resources. :)

Anyway, one very important thing, is to not use string-concatenation in order to build your queries. Instead, use parametrized queries. ADO.NET allows to do this, in a very easy way:

string sql = "SELECT * FROM Persons WHERE Persons.Lastname LIKE @p_Name";

SqlCommand cmd = new SqlCommand (sql);

cmd.Parameters.Add ("@p_Name", SqlDbType.Varchar).Value = textBox1.Text + "%";