Menu
Most of the time I access data using stored procedures but at times I use statements which I believe are not vulnerable to SQL injection.
Below is an example I use
protected void Page_Load(object sender, EventArgs e)
{
try
{
int CatID = Request["CatID"];
if (!IsPostBack)
{
getDetails(CatID);
}
}
catch (Exception ex)
{
Response.Write(ex.Message.ToString());
}
}
private DataTable getDetails( int CatID)
{
try
{
DataSet ds = new DataSet();
string strSql = "SELECT * FROM TableXYZ WHERE CatID = "+CatID ;
ds = DataProvider.Connect_Select(strSql);
DataTable dt = ds.Tables[0];
return dt;
}
catch (Exception ex)
{
throw;
}
}
I filter my input or query string and then I call getDetails function and pass CatID as parameter to the function & then to SQL statement. Since this is an integer type data is this code vulnerable to SQL injection?
I want to clear my doubt so that I don't use SQL statement like this.
253
Since CatID is an int, no, in this case you're not vulnerable to SQL injection. But the path you've chosen is a slippery slope and, someday, prone to SQL injection when refactoring or changing your code. It's better to get into the habit of using parameterized queries and sticking with it.
I can wholehartedly suggest you try Dapper (which is available as a Nuget package(; this will greatly simplify things and you won't have to change that much for it's benefits.
Your code will then become somthing like:
myConnection.Query<Customer>("SELECT * FROM TableXYZ WHERE CatID = @catid", new { catid = CatID });
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
