Back

Explore Courses Blog Tutorials Interview Questions

Is it safe to not parameterize an SQL query when the parameter is not a string?

0 votes
2 views
in SQL by (20.3k points)

In terms of SQL injection, I completely understand the necessity to parameterize a string parameter; that's one of the oldest tricks in the book. But when can it be justified to not parameterize a SqlCommand? Are any data types considered "safe" to not parameterize?

For example, I don't consider myself anywhere near an expert in SQL, but I can't think of any cases where it would be potentially vulnerable to SQL injection to accept a bool or an int and just concatenate it right into the query.

Is my assumption correct, or could that potentially leave a huge security vulnerability in my program?

For clarification, this question is tagged c# which is a strongly-typed language; when I say "parameter," think something like public int Query(int id).

1 Answer

0 votes
by (40.7k points)

Use the below query:

var sqlCommand = new SqlCommand("SELECT * FROM People WHERE IsAlive = " + isAlive + " AND FirstName = @firstName");

sqlCommand.Parameters.AddWithValue("firstName", "Rob");

In the above query, the type of EmployeeNumber is changed from int to string.

Related questions

0 votes
1 answer
What is parameterized query?
asked Dec 4, 2020 in SQL by Appu (6.1k points)
0 votes
1 answer
What is the syntax for an inner join in LINQ to SQL?
asked Jul 9, 2019 in SQL by Tech4ever (20.3k points)
+2 votes
1 answer
Parameterize an SQL IN clause
asked Jul 3, 2019 in SQL by Tech4ever (20.3k points)

Browse Categories

© COPYRIGHT 2011-2023 INTELLIPAAT.COM. ALL RIGHTS RESERVED.

Download Salary Trends Now !

Learn how professionals like you got up to 100% Salary Hike.

...