insert code - security

E

Eugene Anthony

How do I secure the code bellow from possible sql injection?

SqlConnection cnn2 = new
SqlConnection(ConfigurationManager.ConnectionStrings["myConnection"].Con
nectionString);
SqlCommand myCommand2 = new SqlCommand();
myCommand2.Connection = cnn2;
myCommand2.CommandText = "INSERT Authentication (email,
firstname,lastname,password,country,postalcode,dob,Gender,type)
VALUES('" + email + "','" + firstname + "','" + lastname + "','" +
password + "','" + country + "'," + int.Parse(postalcode) + "," + dob +
",'" + gender + "','user')";
SqlDataAdapter myAdapter2 = new SqlDataAdapter(myCommand2);
DataSet ds2 = new DataSet();
myAdapter2.Fill(ds2, "Authentication");

Please note that im using ms sql 7 along with asp.net 2.0 with C#.

Eugene Anthony
 
J

Jay Allard

Remove all of the variables from the Insert statement.

Instead of

sql = "insert into authetnication(email) values('" + email + ")")

do

sql = insert into authetnciation(email) values (@email)

Then create a sqlparameter with a name of email, and the proper data type
and size, and add it to the command parameters collection.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DropDownList 1
DropDownList 1
dropdownlist 4
Create User Wizard Insert Issue 1
Neebie - Compiler Error 0
Registration Form 7
System.Data.DataRow error 1
Only one table shows up with the information 2

Members online

No members online now.
Total: 76 (members: 0, guests: 76)
Robots: 410

Forum statistics

Threads
473,995
Messages
2,570,230
Members
46,819
Latest member
masterdaster

Latest Threads

Top