.net - Is passing by use of parameter necessary for data type int to prevent sql injection -
as per question once more: need pass numbers datatype variable values parameters prevent sql injection.
i have 2 sample function 1 parameter , next without using parameter
function checkthis(int uin) { var connect = configurationmanager.connectionstrings["northwind"].tostring(); var query = "select * products productid = @productid"; using (var conn = new sqlconnection(connect)) { using (var cmd = new sqlcommand(query, conn)) { cmd.parameters.add("@productid", sqldbtype.int); cmd.parameters["@productid"].value = uin; conn.open(); //process results } } } or following ok
function checkthis(int uin) { var connect = configurationmanager.connectionstrings["northwind"].tostring(); var query = "select * products productid = " + uin; using (var conn = new sqlconnection(connect)) { using (var cmd = new sqlcommand(query, conn)) { //cmd.parameters.add("@productid", sqldbtype.int); //cmd.parameters["@productid"].value = uin; conn.open(); //process results } } }
you don't need stop sql injection attacks1. however:
- your code cleaner if separate sql values
- if type later changed
intelse, then @ risk of injection attack, , it's entirely possible missed in code review - it avoids issues number-to-string conversions involving unexpected thousands separators etc
in short, still use parameters.
1 unless attacker can affect locale settings. @ point, even string concatenation integers can vulnerable sql injection attacks.
Comments
Post a Comment