Loading lesson path
Concept visual
Start at both ends
Formula
SQL Parameters - Prevent SQL InjectionSQL parameters (Parameterized Queries) can be used to protect a web site from SQL injections. A parameterized query is a SQL statement that uses placeholders instead of directly adding the input values into the query text. The placeholders get replaced with the actual values when the query executes. This makes the queries more safe and more reusable. Most databases support parameterized queries, but the syntax varies:
SQL Server uses @ for parameters PostgreSQL uses $ for parameters SQL parameters are added to an SQL query at execution time, in a controlled manner.
ASP.NET Razor Example userid = getRequestString("UserId");
query = "SELECT *
FROM Users WHERE UserId = @userid";
db.Execute(query, userid);Note that parameters in SQL Server are presented by a @ marker. The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.
Another Example cname = getRequestString("CustomerName");
caddress = getRequestString("Address");
ccity = getRequestString("City");
query = "INSERT INTO Customers (CustomerName, Address, City) Values(@cname, @caddress, @ccity)";
db.Execute(query, cname, caddress, ccity);The following examples shows how to build parameterized queries in some common web languages. SELECT STATEMENT IN ASP.NET:
userid = getRequestString("UserId");
query = "SELECT * FROM Customers WHERE CustomerId = @userid";
cmd = new SqlCommand(query);
cmd.Parameters.AddWithValue("@userid", userid);
cmd.ExecuteReader();INSERT INTO STATEMENT IN ASP.NET:
cname = getRequestString("CustomerName");
caddress = getRequestString("Address");
ccity = getRequestString("City");
query = "INSERT INTO Customers (CustomerName, Address, City) Values(@cname, @caddress, @ccity)";
cmd = new SqlCommand(query);
cmd.Parameters.AddWithValue("@cname", cname);
cmd.Parameters.AddWithValue("@caddress", caddress);
cmd.Parameters.AddWithValue("@ccity", ccity);
cmd.ExecuteNonQuery();