Is SQL Injection running in winforms?

Question

Is SQL Injection running in winforms?

I am making Windows software in C #. I read about sql-injection , but I did not find it working on my application.

Is SQL Injection running in winforms?
If so, how to prevent them.

EDIT: I use text fields to read the username and password. and with textboxex, I found that the text from the text box is between double quotes ( "" ). So I did not find that it worked.

And when I use Quotes " OR ' in the text box, the text reads as \" OR \'

Example:

  ................... USER NAME: | a" OR "1"=="1 | ``````````````````` // it is read as textBox1.Text = "a\" OR \"1\"==\"1";

+4

c # sql-injection .net winforms

Javed akram Mar 31 '11 at 5:45

source share

3 answers

Yes. The easiest way to prevent this is to use SqlParameter for any user input sent to the database. Or do not use the SqlDataAdapter and use the Entity Framework instead.

+3

Yuriy faktorovich Mar 31 '11 at 5:48

source share

SQL injection is caused by using the input directly in SQL statements created on the fly (called dynamic SQL), which allows users to break SQL or "enter" their own SQL code.

Using stored procedures or SQL with parameters circumvent this.

So yes, this can happen in winforms if SQL is encoded this way.

+2

Mark redman Mar 31 '11 at 5:50

source share

Paweł smejda · Accepted Answer · 2011-03-31T05:49:45+0000

SQL injection is a common problem, independent of any technology. If you use .NET and want to prevent SQL Injection , always use SqlParameter instead of string concatenation.

Is SQL Injection running in winforms?

More articles: