current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
stack overflow careers
Sign up ×
Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them, it only takes a minute:
up vote 0 down vote favorite

I'm testing a web page to prevent SQL Injection.Here is my ASPX page source:

<asp:SqlDataSource ID="SqlDataSource_Test" runat="server"  
     ConnectionString="<%$ ConnectionStrings:Default %>" >    
</asp:SqlDataSource>
<asp:GridView ID="GV" runat="server" Visible="False" 
     DataSourceID="SqlDataSource_Test" ></asp:GridView>

In the code behind:

string ID = Request["id"];

SqlDataSource_Test.SelectCommand = "SELECT * FROM TABLE WHERE id = @ID";
SqlDataSource_Test.SelectParameters.Add(new Parameter("ID", System.Data.DbType.String, ID)); 

GV.DataBind();

but when I request the page with the url:

http://localhost:5284/details.aspx?id=731974'; update table set name='SQL INJECTION' where ID=1--&p=2

The field "name" is updated to "SQL INJECTION".

How to prevent SQL injection in SqlDataSource control?

share|improve this question

1 Answer 1

up vote 0 down vote

Change new Parameter("ID", System.Data.DbType.String, ...) to new Parameter("ID", System.Data.DbType.Int32, ...).

share|improve this answer
    
The ID parameter must be an string – Ernesto Rodriguez Oct 16 at 8:46
    
If so, create a stored procedure and pass @ID as parameter. – qxg Oct 16 at 8:55

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.