Is the SqlCommand.Parameters.AddWithValue method injection-safe?
It accepts an Object for the payload, so how could it protect against injection?
Asked
Active
Viewed 3,261 times
2
CJ7
- 22,579
- 65
- 193
- 321
1 Answers
8
It actually depends on how you use them.
See the difference here. First one is secure but not the second one.
sqlCommand.CommandText = "select * from Books where Title = @title";
sqlCommand.Parameters.AddWithValue("title", txtTitle.Text);
string sql = "select * from Books where title = " + txtTitle.Text;
sqlCommand.CommandText = "exec(@sql)";
sqlCommand.Parameters.AddWithValue("sql", sql);
See more details about it at Does asp.net protect against sql injection attacks
Community
- 1
- 1
Tariqulazam
- 4,535
- 1
- 34
- 42