Also note that an attacker can inject multiple commands
into the query by using the semicolon (;) operator to separate each command.
Use the SqlParameter Class to Delineate
User Data and Query Information
Fortunately, these bugs are easy to avoid using .Net. Use the SqlParameter class to
insert data within SQL queries instead of direct insertion through string concatenation.
By using SqlParameter classes, the .Net classes will know to separate user data from
the query text and will make sure that the attacker??™s data is not able to influence the
query plan used when executing against the database. SqlParameter classes may be
used with both stored procedures and standard text queries such as the select query in
the previous example.
To use an SqlParameter object with a text query, you can indicate variables by
placing query variables within the query and then adding appropriate SqlParameter
objects to the SqlCommand. Query variables are indicated within queries by using the
@ParameterName notation where ParameterName is the name of a SqlParameter that
you will provide to the SqlCommand. Some beneficial side effects of using parameterized
queries are that in some cases repeated queries will execute faster, and code can become
easier to read and audit.
Pages:
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239