Avoid SQL Injection attack : SqlCommand « ADO.net Database « ASP.NET Tutorial






<%@ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="AddShipper" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Add New Shipper</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <h1>Add New Shipper</h1>
        <asp:Label ID="lblCompanyName" runat="server" Text="Company Name:"> </asp:Label> 
        <asp:TextBox ID="txtCompanyName" runat="server"></asp:TextBox>
        <br />
        <asp:Label ID="lblPhone" runat="server" Text="Phone:"> </asp:Label> <asp:TextBox ID="txtPhone"
            runat="server"></asp:TextBox><br />
        <br />
        <asp:Button ID="btnBadAddShipper" runat="server" Text="Bad Add Shipper" OnClick="btnBadAddShipper_Click" />
        <asp:Button ID="btnGoodAddShipper" runat="server" OnClick="btnGoodAddShipper_Click"
            Text="Good Add Shipper" /></div>
    </form>
</body>
</html>

File: Default.aspx.cs

using System;
using System.Data;
using System.Data.SqlClient;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

public partial class AddShipper : System.Web.UI.Page 
{

    protected void btnBadAddShipper_Click(object sender, EventArgs e)
    {
        string connStr = "Server=(local);Database=Northwind;Integrated Security=SSPI";
        string cmdStr =  "insert into Shippers (CompanyName, Phone) values ('" + 
            txtCompanyName.Text + "', '" + txtPhone.Text + "')";

        using (SqlConnection conn = new SqlConnection(connStr))
        using (SqlCommand cmd = new SqlCommand(cmdStr, conn))
        {
            conn.Open();
            cmd.ExecuteNonQuery();
        }
    }

    protected void btnGoodAddShipper_Click(object sender, EventArgs e)
    {
        string connStr = "Server=(local);Database=Northwind;Integrated Security=SSPI";
        
        string cmdStr = "insert into Shippers (CompanyName, Phone) values (" + "@CompanyName, @Phone)";

        using (SqlConnection conn = new SqlConnection(connStr))
        using (SqlCommand cmd = new SqlCommand(cmdStr, conn))
        {
            cmd.Parameters.AddWithValue("@CompanyName", txtCompanyName.Text);
            cmd.Parameters.AddWithValue("@Phone", txtPhone.Text);

            conn.Open();
            cmd.ExecuteNonQuery();
        }
    }
}








18.3.SqlCommand
18.3.1.Create SqlCommand from sql statement and connection
18.3.2.Executing a Command
18.3.3.Executing a Command with Parameters
18.3.4.Returning a Single Value
18.3.5.Read scalar data by using SqlCommand
18.3.6.Execute insert command by using SqlCommand
18.3.7.Execuate select command by using the SqlCommand
18.3.8.Execute update command
18.3.9.Attach SqlCommand to DataGrid
18.3.10.Pass a CommandBehavior.CloseConnection parameter to the ExecuteReader() method.
18.3.11.Executing Asynchronous Database Commands
18.3.12.Avoid SQL injection
18.3.13.Avoid SQL Injection attack
18.3.14.Browser Snoop