c# - Dynamic build query & SQL Injection & DLLs files -


i have read lot of things sql injection , many arguments why should avoid build query dynamically using plain code/concatenations within cs.file

however, have question , need advice more experience me.

i created dll files in order re-use code in different projects , reason thinking generic.

i created these dll files contained logic/code of building sql queries in dynamic way + concatenation of statement. thereafter, add these dll files reference project.

this vulnerable sql injection ? insufficient procedure (time consuming/insufficient maintenance)?

any advice appreciated.

if not processing input passing query (built @ run time) vulnerable sql injection. adding dll or not doesn't makes difference.

to overcome need use parameterised queries. have multiple advantages part security.

one reason can think of right have text box. , query is

 "select * table1 name = '" +  textbox1.text; 

not lets assume in textbox1 user enters ehsan's. query go bang , won't execute.

example of parameterised query

 "select * table1 name = @name"  yourcommand.parameters.addwithvalue("@name", textbox1.text); 

Comments

Popular posts from this blog

c++ - Creating new partition disk winapi -

Android Prevent Bluetooth Pairing Dialog -

VBA function to include CDATA -