SQL injection, using Parameterised Queries

K

kate

New Member
I have some questions about how to prevent sql injectiion with the help of parameterised queries\[code\]sqlQuery="SELECT * FROM usersTbl WHERE username=@uname AND password=@passwd";SqlCommand cmd = new SqlCommand(sqlQuery, conn);SqlParameter[] par = new MySqlParameter[2];par[0] = new SqlParameter("@uname ", SqlDbType.VarChar,25);par[1] = new SqlParameter("@passwd", SqlDbType.VarChar, 45);\[/code\]And then I attach them to the SqlCommand and ExecuteScalar it.For example the client insert the string \[code\];DROP --\[/code\] in the password variable, will the parameterised query prevent the \[code\]DROP\[/code\] query to be executed ? Thank you
 
You must log in or register to reply here.
Back
Top