Prevent SQL injection !

By patrickwellink
March 18, 2005
1

In the NorthWind Database the Customer table has a CustomerID field and the field is 5 long.


I am using the MyGeneration dOOdad architecture and I query the database for every customet that has a customerid of ‘ANTON’


In my code this looks like :



Dim cust As New Customers
cust.Where.CustomerID.Value = “ANTON –AND HERE IS SOME STUFF TOO–
cust.Query.Load()



So in the code I actually query on : ANTON –AND HERE IS SOME STUFF TOO–


But if I look in the SQL-Profiler I see the following :



exec sp_executesql N’SELECT * FROM [Customers] WHERE [CustomerID] = @CustomerID1 ‘, N’@CustomerID1 nchar(5)’, @CustomerID1 = N’ANTON


So the variable @CustomerID is cutoff at the correct length. This feature could prevent SQL Injection.


The more I look at the dOOdad architecture the more I like it.

Comments: 1

  1. Yes, and the mere fact that it is passed in via a parameter means that SQL injection is basically eliminated.

Comments are closed.

  • Recent Posts
  • Recent Comments
  • Archives
  • Categories
  • Meta