Explore Courses Blog Tutorials Interview Questions
0 votes
in SQL by (20.3k points)

In terms of SQL injection, I completely understand the necessity to parameterize a string parameter; that's one of the oldest tricks in the book. But when can it be justified to not parameterize a SqlCommand? Are any data types considered "safe" to not parameterize?

For example, I don't consider myself anywhere near an expert in SQL, but I can't think of any cases where it would be potentially vulnerable to SQL injection to accept a bool or an int and just concatenate it right into the query.

Is my assumption correct, or could that potentially leave a huge security vulnerability in my program?

For clarification, this question is tagged c# which is a strongly-typed language; when I say "parameter," think something like public int Query(int id).

1 Answer

0 votes
by (40.7k points)

Use the below query:

var sqlCommand = new SqlCommand("SELECT * FROM People WHERE IsAlive = " + isAlive + " AND FirstName = @firstName");

sqlCommand.Parameters.AddWithValue("firstName", "Rob");

In the above query, the type of EmployeeNumber is changed from int to string.

Related questions

0 votes
1 answer
asked Dec 4, 2020 in SQL by Appu (6.1k points)
0 votes
1 answer
+2 votes
1 answer
asked Jul 3, 2019 in SQL by Tech4ever (20.3k points)
Welcome to Intellipaat Community. Get your technical queries answered by top developers!

30.4k questions

32.5k answers


108k users

Browse Categories