As the title says, if I use SQL parameters, i.e.
SQLCommand cmd = new SQLCommand("select * from users where username = @user and password = @pass limit 1", Cxn);
cmd.Parameters.Add("@user", SqlDbType.VarChar):
cmd.Parameters.Add("@pass", SqlDbType.VarChar):
Can I just enter the parameter value as a direct entry from the input?
cmd.Parameters["@user"].value = txtBxUserName.text;
cmd.Parameters["@pass"].value = txtBxPassword.text;
This is what seems suggested when you are looking for something related to string escaping, etc., the final answer is to simply bind the bind parameter. But it will protect against injections, etc.? Or do you still need to do some server side validation?
Based on a highly oriented PHP background, it goes against every fiber of my body to directly enter text into a query: p
source
share