We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    Apr 25, 2008 06:32 PM|xp_cmdshell|LINK

    steve schofield

    Prepared statements generally are stored procedures, at least that is my understanding.  Dynamic SQL type pages can be exposed to sql injection attacks.  Of course if the stored procedure takes input without being validated, it can be also.  But is one layer deeper.  Only good error coding can prevent it. 



    <div style="border: 2px ridge white; margin: 10px; padding: 10px; font-size: 10pt; font-family: courier new; background-color: rgb(238, 238, 238);">Dim UserSuppliedString as String Request.QueryString("UserSuppliedString")

    Dim cmd As 
    new SqlCommand("SELECT * FROM blahblah WHERE id = @au_id")
    Dim param 
    = new SqlParameter("au_id", SqlDbType.VarChar)
    = UserSuppliedString