B
Brad Baker
I have an asp.net page written in C# which provides a search box which
updates a gridview control using the following code:
protected void search_button_Click(object sender, EventArgs e)
{
string search_terms = search_textbox.Text;
string search_fields = search_dropdown.Text;
string sql_string = "SELECT * FROM
WHERE " + search_fields + "
LIKE '%" + search_terms + "%'";
Datasource.SelectCommand = sql_string;
}
The code above works perfectly however it appears to be vulnerable to SQL
injection attacks and I am wondering how I can best santize user input prior
to using it in my sql query. Is there a function built into C# I can use for
this?
Thanks!
Brad
updates a gridview control using the following code:
protected void search_button_Click(object sender, EventArgs e)
{
string search_terms = search_textbox.Text;
string search_fields = search_dropdown.Text;
string sql_string = "SELECT * FROM
LIKE '%" + search_terms + "%'";
Datasource.SelectCommand = sql_string;
}
The code above works perfectly however it appears to be vulnerable to SQL
injection attacks and I am wondering how I can best santize user input prior
to using it in my sql query. Is there a function built into C# I can use for
this?
Thanks!
Brad