Mysql
 sql >> Base de Dados >  >> RDS >> Mysql

Resolvendo o problema de SQLinjection


Use parâmetros em suas consultas:
// C#
SqlCommand cmd = new SqlCommand("UPDATE Products SET description = @Description WHERE id = @ID");
cmd.Parameters.AddWithValue("@Description", "something");
cmd.Parameters.AddWithValue("@ID", 123);

E o equivalente em VB.net:
// VB.net
Dim cmd As New SqlCommand("UPDATE Products SET description = @Description WHERE id = @ID")
cmd.Parameters.AddWithValue("@Description", "something")
cmd.Parameters.AddWithValue("@ID", 123)