Are any of these SQL Queries open to SQL injection attacks?
I have re-written my code after great help from some friendly stack overflow members (big thanks to Martin B and Kev Chadders especially). I would now lik开发者_如何学JAVAe to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like:
-code removed-
It seems you are safe from SQL injection attacks, but code like this:
Response.Write(result);
and:
Response.Write("<b><u> --- Begin SQL Exception Message ---</u></b><br />")
Response.Write(ex)
Response.Write("<br /><b><u> --- End SQL Exception Message ---</u></b>")
could leave you open for other forms of attack such as XSS. You should set the text element of an ASP.NET control, not directly write to the page.
Seems fine to me.
Basically, if you don't concatenate SQL string and uses parametrized queries, you're safe against SQL injection attacks.
You're using SqlParameters which effectively removes all SQL injection issues.
You can run the static code analysis tool CAT.NET to identify all XSS and SQL injection vectors accross a project, including referenced assemblies.
http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
Reports usually make for some interesting reading.
You should run a scanner to check for potential SQL injection vulnerabilities. I have had some luck with http://sqlmap.sourceforge.net/
精彩评论