Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#12 How to avoid injection attacks?

open
nobody
None
5
2006-08-02
2006-08-02
Anonymous
No

Here is the code:
using(SQLiteConnection connection = CreateConnection
() )
{
IDbCommand command = connection.CreateCommand();
command.CommandText = "SELECT * FROM t WHERE a=@a";

IDbDataParameter p = command.CreateParameter();
p.ParameterName = "@a";
p.Value = "1;DELETE FROM t";
command.Parameters.Add(p);
command.ExecuteNonQuery();
}
The p.Value changed to "1;DELETE FROM t" ,and all
rows in table t will be deleted.How can i avoid it?

Discussion