is this code vulnerable to SQL Injections?
Question
page loads you have to fill some text boxes and then click add:
tbSpyReports spyReport = new tbSpyReports();
spyReport.sgCityLevel = Convert.ToInt32(tbCityLevel.Text);
spyReport.sgCityName = tbCityName_insert.Text;
....
spyReport.insert();
Response.Redirect(Request.RawUrl);
SqlConnection con = ikaConn.getConn();
SqlCommand command = new SqlCommand("INSERT INTO spyReports(cityName, playerName, cityId, islandId, cordX, cordY, " + "cityLevel, cityWall, cityWarehouse, Wood, Wine, Marble, Crystal, Sulfur, hasArmies) VALUES(" + "@cityName, @playerName, @cityId, @islandId, @cordX, @cordY, " + "@cityLevel, @cityWall, @cityWarehouse, @Wood, @Wine, @Marble, @Crystal, @Sulfur, @hasArmies)", con);
command.Parameters.Add(new SqlParameter("cityName", this.cityName));
command.Parameters.Add(new SqlParameter("playerName", this.playerName));
....
command.ExecuteNonQuery();
command.Dispose();
1 answers
solution1
0 2014-06-30 22:46:13
It shouldn't be vulnerable to traditional SQL injection of this form:
statement = "SELECT * FROM users WHERE name ='" + userName + "';"
as you're using parameterized queries.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Preventing SQL injections in a gridview
Are SQL injections still a threat?
Preparedquery vulnerable to Sql injection
Other possible ways for SQL injections?
Is this LINQ statment vulnerable to SQL injection?
Are Parameters really enough to prevent Sql injections?
How to protect against ASP.NET SQL Injections in SQL Azure
How to remove pay day loans seo spam injections in sql server?
Oracle Database and .NET (C#) - How to prevent SQL Injections
Error with dependency injections
Related Tags