Escaping SelectParameters in ASP.NET
I have the following SQLDataSource
:
<asp:SqlDataSource ID="topicSource" runat="server" ConnectionString="<%$ ConnectionStrings"
SelectCommandType="Text" SelectCommand="SELECT * FROM tbl_Topic WHERE TopicId = @TopicId">
<SelectParameters>
开发者_运维技巧 <asp:QueryStringParameter Name="TopicId" QueryStringField="id" />
</SelectParameters>
</asp:SqlDataSource>
Does ASP.NET escape the select
parameter for me? If not, what do I do to make it safer to prevent injections?
Yes: in this case, you are fully protected from SQL injection. That's the whole point for having SQL parameters in this fashion.
精彩评论