Avoid SQL Injection attack : SqlCommand « ADO.net Database « ASP.NET Tutorial

ASP.NET Tutorial
1. ASP.Net Instroduction
2. Language Basics
3. ASP.net Controls
4. HTML Controls
5. Page Lifecycle
6. Response
7. Collections
8. Validation
9. Development
10. File Directory
11. Sessions
12. Cookie
13. Cache
14. Custom Controls
15. Profile
16. Configuration
17. LINQ
18. ADO.net Database
19. Data Binding
20. Ajax
21. Authentication Authorization
22. I18N
23. Mobile
24. WebPart
25. XML
Java
Java Tutorial
Java Source Code / Java Documentation
Java Open Source
Jar File Download
Java Articles
Java Products
Java by API
Photoshop Tutorials
Maya Tutorials
Flash Tutorials
3ds-Max Tutorials
Illustrator Tutorials
GIMP Tutorials
C# / C Sharp
C# / CSharp Tutorial
C# / CSharp Open Source
ASP.Net
JavaScript DHTML
JavaScript Tutorial
JavaScript Reference
HTML / CSS
HTML CSS Reference
C / ANSI-C
C Tutorial
C++
C++ Tutorial
Ruby
PHP
Python
Python Tutorial
Python Open Source
SQL Server / T-SQL
SQL Server / T-SQL Tutorial
Oracle PL / SQL
Oracle PL/SQL Tutorial
PostgreSQL
SQL / MySQL
MySQL Tutorial
VB.Net
VB.Net Tutorial
Flash / Flex / ActionScript
VBA / Excel / Access / Word
XML
XML Tutorial
Microsoft Office PowerPoint 2007 Tutorial
Microsoft Office Excel 2007 Tutorial
Microsoft Office Word 2007 Tutorial
ASP.NET Tutorial » ADO.net Database » SqlCommand 
18. 3. 13. Avoid SQL Injection attack
<%@ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="AddShipper" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Add New Shipper</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <h1>Add New Shipper</h1>
        <asp:Label ID="lblCompanyName" runat="server" Text="Company Name:"> </asp:Label> 
        <asp:TextBox ID="txtCompanyName" runat="server"></asp:TextBox>
        <br />
        <asp:Label ID="lblPhone" runat="server" Text="Phone:"> </asp:Label> <asp:TextBox ID="txtPhone"
            runat="server"></asp:TextBox><br />
        <br />
        <asp:Button ID="btnBadAddShipper" runat="server" Text="Bad Add Shipper" OnClick="btnBadAddShipper_Click" />
        <asp:Button ID="btnGoodAddShipper" runat="server" OnClick="btnGoodAddShipper_Click"
            Text="Good Add Shipper" /></div>
    </form>
</body>
</html>

File: Default.aspx.cs

using System;
using System.Data;
using System.Data.SqlClient;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

public partial class AddShipper : System.Web.UI.Page 
{

    protected void btnBadAddShipper_Click(object sender, EventArgs e)
    {
        string connStr = "Server=(local);Database=Northwind;Integrated Security=SSPI";
        string cmdStr =  "insert into Shippers (CompanyName, Phone) values ('" 
            txtCompanyName.Text + "', '" + txtPhone.Text + "')";

        using (SqlConnection conn = new SqlConnection(connStr))
        using (SqlCommand cmd = new SqlCommand(cmdStr, conn))
        {
            conn.Open();
            cmd.ExecuteNonQuery();
        }
    }

    protected void btnGoodAddShipper_Click(object sender, EventArgs e)
    {
        string connStr = "Server=(local);Database=Northwind;Integrated Security=SSPI";
        
        string cmdStr = "insert into Shippers (CompanyName, Phone) values (" "@CompanyName, @Phone)";

        using (SqlConnection conn = new SqlConnection(connStr))
        using (SqlCommand cmd = new SqlCommand(cmdStr, conn))
        {
            cmd.Parameters.AddWithValue("@CompanyName", txtCompanyName.Text);
            cmd.Parameters.AddWithValue("@Phone", txtPhone.Text);

            conn.Open();
            cmd.ExecuteNonQuery();
        }
    }
}
18. 3. SqlCommand
18. 3. 1. Create SqlCommand from sql statement and connection
18. 3. 2. Executing a Command
18. 3. 3. Executing a Command with Parameters
18. 3. 4. Returning a Single Value
18. 3. 5. Read scalar data by using SqlCommand
18. 3. 6. Execute insert command by using SqlCommand
18. 3. 7. Execuate select command by using the SqlCommand
18. 3. 8. Execute update command
18. 3. 9. Attach SqlCommand to DataGrid
18. 3. 10. Pass a CommandBehavior.CloseConnection parameter to the ExecuteReader() method.
18. 3. 11. Executing Asynchronous Database Commands
18. 3. 12. Avoid SQL injection
18. 3. 13. Avoid SQL Injection attack
18. 3. 14. Browser Snoop
www.java2java.com | Contact Us
Copyright 2009 - 12 Demo Source and Support. All rights reserved.
All other trademarks are property of their respective owners.