Udostępnij za pośrednictwem


Creating a Parameterized Query In Visual Studio

Creating parameterized queries is one of the major countermeasures to SQL Injection attacks (not the ultimate but major).

I always did it in old fashion way - using code only and I am ashamed I never utilize advanced productivity features of Visual Studio.

Beth Massi does great job explaining how to build parameterized queries in her Creating a Parameterized Query post. I must do some critics though here - I would really love to see other example rather creating custom login form, say products catalog. Building custom authentication scheme is a surest way to disaster. I must admit that Beth put proper disclaimer though:

(By the way, this example does NOT demonstrate a secure way of writing login forms. We'll be passing what the user enters directly into the database which stores the password in clear text. It is NOT safe practice to store clear text passwords in your database. I'll post a follow-up that talks about techniques we can use to protect users' passwords, especially if we need to store them in a database. For now, let's concentrate on how we add parameterized queries to our TableAdapters.)

Related articles:

How To: Protect From SQL Injection in ASP.NET

How To: Protect From Injection Attacks in ASP.NET

Good read, looking forward to see the post on passwords

Comments

  • Anonymous
    May 31, 2007
    I just finished building another security workshop that covers authentication and identity technologies