BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

QCon London

Discover new ideas and insights from senior practitioners driving change in software. Attend in-person.
QCon San Francisco: Video-Only Pass

Video-Only Pass for professionally edited conference recordings.
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News Preventing SQL Injection Attacks in .NET Applications

Preventing SQL Injection Attacks in .NET Applications

Bookmarks

Oct 24, 2006 less than one minute

Write for InfoQ

Join a community of experts. Increase your visibility.
Grow your career.Learn more

Back in September InfoQ reported on Michael Sutton's alarming study of SQL injection vulnerabilities. Fortunately preventing most of them in .NET is not that hard.

SQL injection vulnerabilities are caused by applications that improperly allow users to pass commands to the database. Even simple mistakes creating a SQL command can allow attackers to do massive damage to a database.

Scott Guthrie outlines the most common vector for SQL injection attacks, string concatenation. He then goes on to show a safe method for generating dynamic SQL statements using parameterized queries. He also includes a set of links for those wanting to perform further research.

Rate this Article

Adoption
Style

This content is in the Database topic

Related Topics:

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT