Prevent SQL injection !

By patrickwellink
March 18, 2005

In the NorthWind Database the Customer table has a CustomerID field and the field is 5 long.

I am using the MyGeneration dOOdad architecture and I query the database for every customet that has a customerid of ‘ANTON’

In my code this looks like :

Dim cust As New Customers
cust.Where.CustomerID.Value = “ANTON –AND HERE IS SOME STUFF TOO–

So in the code I actually query on : ANTON –AND HERE IS SOME STUFF TOO–

But if I look in the SQL-Profiler I see the following :

exec sp_executesql N’SELECT * FROM [Customers] WHERE [CustomerID] = @CustomerID1 ‘, N’@CustomerID1 nchar(5)’, @CustomerID1 = N’ANTON

So the variable @CustomerID is cutoff at the correct length. This feature could prevent SQL Injection.

The more I look at the dOOdad architecture the more I like it.

Comments: 1

  1. Mike Griffin says:

    Yes, and the mere fact that it is passed in via a parameter means that SQL injection is basically eliminated.

Comments are closed.

  • Recent Posts
  • Recent Comments
  • Archives
  • Categories
  • Meta