However, it is up to developers to use that functionality properly to
make their applications secure.
SQL functionality in .Net is exposed within the System.Data.SqlClient namespace.
This namespace contains classes such as SqlConnection and SqlCommand. To interact
with a database, developers create an SqlConnecton, connect to the database, and then
use SqlCommands to run their queries. Here??™s an example:
//Connect to the local Northwind database with the current user's
//Windows identity
string connectionString =
"Server=localhost;Database=AdventureWorks;Integrated Security=SSPI";
SqlConnection sqlConn = new SqlConnection(connectionString);
sqlConn.Open();
SqlCommand sqlCommand = sqlConn.CreateCommand();
sqlCommand.CommandType = CommandType.Text;
sqlCommand.CommandText =
"SELECT * FROM Contact WHERE FirstName='" + firstName + "'";
sqlCommand.ExecuteReader();
This code will connect to the sample AdventureWorks database included with
Microsoft SQL Server 2005 and execute a select query to retrieve information about the
specified contact from the database. Notice that the query is put together by concatenating
user input, the firstName string, with the query string.
Pages:
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237