Avoid SQL injection : SqlCommand « ADO.net Database « ASP.NET Tutorial

Home
ASP.NET Tutorial
1.ASP.Net Instroduction
2.Language Basics
3.ASP.net Controls
4.HTML Controls
5.Page Lifecycle
6.Response
7.Collections
8.Validation
9.Development
10.File Directory
11.Sessions
12.Cookie
13.Cache
14.Custom Controls
15.Profile
16.Configuration
17.LINQ
18.ADO.net Database
19.Data Binding
20.Ajax
21.Authentication Authorization
22.I18N
23.Mobile
24.WebPart
25.XML
ASP.NET Tutorial » ADO.net Database » SqlCommand 




<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="SqlInjectionCorrected" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
      <asp:TextBox id="txtID" runat="server">ALFKI' O'1'='1</asp:TextBox>
      <asp:Label id="Label1" runat="server">Enter Customer ID:</asp:Label>
      <asp:Button id="cmdGetRecords" runat="server" Text="Get Records" OnClick="cmdGetRecords_Click"></asp:Button>
      <asp:GridView id="GridView1" runat="server" Width="392px" Height="123px"></asp:GridView>
    </div>
    </form>
</body>
</html>


File: Default.aspx.cs

using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient;

public partial class SqlInjectionCorrected : System.Web.UI.Page
{
  protected void cmdGetRecords_Click(object sender, System.EventArgs e)
  {
    string connectionString = "Data Source=localhost;Initial Catalog=Northwind;" +
      "Integrated Security=SSPI";
    SqlConnection con = new SqlConnection(connectionString);
    string sql =
      "SELECT Orders.CustomerID, Orders.OrderID, COUNT(UnitPrice) AS Items, " +
      "SUM(UnitPrice * Quantity) AS Total FROM Orders " +
      "INNER JOIN [Order Details] " +
      "ON Orders.OrderID = [Order Details].OrderID " +
      "WHERE Orders.CustomerID = @CustID " +
      "GROUP BY Orders.OrderID, Orders.CustomerID";
    SqlCommand cmd = new SqlCommand(sql, con);
    cmd.Parameters.Add("@CustID", txtID.Text);

    con.Open();
    SqlDataReader reader = cmd.ExecuteReader();
    GridView1.DataSource = reader;
    GridView1.DataBind();
    reader.Close();
    con.Close();
  }
}














18.3.SqlCommand
18.3.1.Create SqlCommand from sql statement and connection
18.3.2.Executing a Command
18.3.3.Executing a Command with Parameters
18.3.4.Returning a Single Value
18.3.5.Read scalar data by using SqlCommand
18.3.6.Execute insert command by using SqlCommand
18.3.7.Execuate select command by using the SqlCommand
18.3.8.Execute update command
18.3.9.Attach SqlCommand to DataGrid
18.3.10.Pass a CommandBehavior.CloseConnection parameter to the ExecuteReader() method.
18.3.11.Executing Asynchronous Database Commands
18.3.12.Avoid SQL injection
18.3.13.Avoid SQL Injection attack
18.3.14.Browser Snoop
java2s.com  | Contact Us | Privacy Policy
Copyright 2009 - 12 Demo Source and Support. All rights reserved.
All other trademarks are property of their respective owners.