c# - Can this be victim of sql injection -
hi getting id value drop down list , passing code behind method passes value sql operation.
i wondering if right way of doing it.
if not why not , how can inject sql injection , solution.
protected void drop1_selectedindexchanged(object sender, eventargs e) { int abcid; abcid= convert.toint32(drop1.selecteditem.value); string sc = "select dddd table1 abcid not in(" + abcid + ")"; using (sqldatasource ds = new sqldatasource(connectionstring(), sc )) { }
since using, convert.toint32
on value sent user, sql injection not occur. invalid values throw exceptions.
however practice use parametrized queries.
way string values safe.
sqlcommand command = new sqlcommand("select dddd table1 abcid not in(@myid)"); command.parameters.addwithvalue("@myid", abcid);
Comments
Post a Comment