Prevent SQL injection !

In the NorthWind Database the Customer table has a CustomerID field and the field is 5 long.

I am using the MyGeneration dOOdad architecture and I query the database for every customet that has a customerid of 'ANTON'

In my code this looks like :

Dim cust As New Customers
cust.Where.CustomerID.Value = "ANTON --AND HERE IS SOME STUFF TOO--"
cust.Query.Load()

So in the code I actually query on : ANTON --AND HERE IS SOME STUFF TOO--

But if I look in the SQL-Profiler I see the following :

exec sp_executesql N'SELECT * FROM [Customers] WHERE [CustomerID] = @CustomerID1 ', N'@CustomerID1 nchar(5)', @CustomerID1 = N'ANTON'

So the variable @CustomerID is cutoff at the correct length. This feature could prevent SQL Injection.

The more I look at the dOOdad architecture the more I like it.

Published 03-18-2005 2:44 PM by Patrick Wellink
Filed under: ,

Comments

# re: Prevent SQL injection !

Friday, March 18, 2005 7:54 PM by Patrick Wellink
Yes, and the mere fact that it is passed in via a parameter means that SQL injection is basically eliminated.