Avoiding SQL injection when saving user-agent using ASP.net_问答_开发者

Avoiding SQL injection when saving user-agent using ASP.net

开发者 https://www.devze.com 2023-04-08 14:56 出处：网络

I\'m saving the browser user-agent of my users for stats purposes. As you already know, user-agent can be modified. I would like to know if I should do anything to protect against SQL Injection.

I'm saving the browser user-agent of my users for stats purposes.

As you already know, user-agent can be modified. I would like to know if I should do anything to protect against SQL Injection.

I'm using Stored开发者_开发知识库 Procedures for inserting.

Many thanks.

Use parameters with stored procedures or use parameters with dynamic SQL.

Here's the example from MSDN:

  SqlDataAdapter dataAdapter = new SqlDataAdapter(
       "SELECT CustomerID INTO #Temp1 FROM Customers " +
       "WHERE CustomerID > @custIDParm; SELECT CompanyName FROM Customers " +
       "WHERE Country = @countryParm and CustomerID IN " +
       "(SELECT CustomerID FROM #Temp1);",
       connection);
  SqlParameter custIDParm = dataAdapter.SelectCommand.Parameters.Add(
                                          "@custIDParm", SqlDbType.NChar, 5);
  custIDParm.Value = customerID.Text;

  SqlParameter countryParm = dataAdapter.SelectCommand.Parameters.Add(
                                      "@countryParm", SqlDbType.NVarChar, 15);
  countryParm.Value = country.Text;

  connection.Open();
  DataSet dataSet = new DataSet();
  dataAdapter.Fill(dataSet);

Use a prepared statement. Make sure you use a prepared statement for all SQL operations, even if the data comes out of the database.