sql server - Is Dynamic SQL more vulnerable to SQL Injection/hacking? -

Is dynamic SQL worse for SQL injection / hacking? If yes, then how to stop?

If you use parameters instead of string combinations to specify your filter criteria, then this SQL should not be weak for injection. For example:

For example:

Do this:

  string sqlQuery = "Select * Person from WHERE person. SqlCommand CMD = New SQL Commands (SQLF); ... cmd.Parameters.Add ("@name", SqlDbType.VarChar) .Value = aName + "%";

Instead of:

  string sqlQuery = "Select from persons * like individuals. \ N" + aName + "% '' ';

The first example is not weak for SQL injection, but the second example is very weak.

The same applies to dynamic SQL which you use in stored procedures For example, you can create dynamic SQL statements that use the parameter; then you use the sp_executesql C and should perform dynamic statement, which enables you to specify the parameters you.

Brennenstuhl

Search This Blog

sql server - Is Dynamic SQL more vulnerable to SQL Injection/hacking? -

Comments

Post a Comment