How do parameterized queries help against SQL injection?

c# .net sql sql-server-2005 parameterized-query
sqlchild picture sqlchild · Mar 29, 2011 · Viewed 41.6k times · Source

In both queries 1 and 2, the text from the textbox is inserted into the database. What's the significance of the parameterized query here?

  1. Passing txtTagNumber as a query parameter

    SqlCommand cmd = new SqlCommand("INSERT INTO dbo.Cars " +"VALUES(@TagNbr);" , conn);
cmd.Parameters.Add("@TagNbr", SqlDbType.Int);
cmd.Parameters["@TagNbr"].Value = txtTagNumber.Text;

  2. Converting txtTagNumber to an integer before constructing the query

    int tagnumber = txtTagNumber.Text.ToInt16(); /* EDITED */
INSERT into Cars values(tagnumber.Text); /* then is it the same? */

Also, here I would use Regular Expression validation to stop insertion of illegal characters.

Answer

OJ. picture OJ. · Mar 29, 2011

Parameterized queries do proper substitution of arguments prior to running the SQL query. It completely removes the possibility of "dirty" input changing the meaning of your query. That is, if the input contains SQL, it can't become part of what is executed becase the SQL is never injected into the resulting statement.

Related questions

What is the syntax for an inner join in LINQ to SQL?

I'm writing a LINQ to SQL statement, and I'm after the standard syntax for a normal inner join with an ON clause in C#. How do you represent the following in LINQ to SQL: select DealerContact.* from Dealer inner join …

Read More
Read SQL Table into C# DataTable

I've read a lot of posts about inserting a DataTable into a SQL table, but is there an easy way to pull a SQL table into a .NET DataTable?

Read More
Get affected rows on ExecuteNonQuery

I am currently working on a C# project and I am running an insert query which also does a select at the same time, e.g.: INSERT INTO table (SELECT * FROM table WHERE column=date) Is there a way I …

Read More