SQL Injection in asp.net




protected voidButton1_Click(object sender, EventArgs e)
 {
  using (SqlConnectioncon = new SqlConnection(ConfigurationManager.ConnectionStrings["DBCS"].ConnectionString))
 {
 SqlCommand cmd = newSqlCommand();
 cmd.CommandText = "Select *from ProductTable where ProductName like '" + TextBox1.Text + "%'";
            Response.Write(cmd.CommandText);
            cmd.Connection = con;
            con.Open();
            GridView1.DataSource = cmd.ExecuteReader();    // Second method gvdatasource
            GridView1.DataBind();
 }

---------------------------------same work Prevention--------------------
using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["DBCS"].ConnectionString))
        {
            SqlCommand cmd = newSqlCommand();
            cmd.CommandText = "Select *from ProductTable where ProductName like @ProductName";
            cmd.Parameters.AddWithValue("@ProductName", TextBox1.Text + "%");
            Response.Write(cmd.CommandText);
            cmd.Connection = con;
            con.Open();
            GridView1.DataSource = cmd.ExecuteReader();    // Second method Gvdatasource
            GridView1.DataBind();
        }


Comments

Post a Comment

Popular posts from this blog

Creating a DDL File & link ddl file in C#

 Creating a DDL File & link ddl file  in C# using System; using System.Collections.Generic; using System.Linq; using System.Text; namespace ClassLibraryExample {     public class ClassLibrary     {         private string name;         private string last;         private string fullname;         public string Name         {             get { return name; }             set { name = value ; }         }          public string Last         {             get { return last; }    ...
Read more

SQL Command in asp.net

Image
  SqlCommand classis used to prepare an Sql statement or Stored procedure that we want to execute on a sql server database. The Most commonly used methods of the Sqlcommand class 1 -   ExecuteReader - Use when the T-SQL Statement returns more than a single value. For example, if the query returns rows of data. 2-   ExecuteNonQuery- use when you want to perform an insert, Update or delete Operation. 3-   ExecuteScalar- Use When the Query returns a single (scalar) value. For example, Queries that return the total number of rows in a table.   Example: ExecuteReader Methods:     using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using System.Data; using System.Data.SqlClient; using System.Configuration; public partial class ExecuteReaderExamples : System.Web.UI. Page { ...
Read more