Home > Back-end >  SQL Parameters within long String with VBNET
SQL Parameters within long String with VBNET

Time:11-08

i am trying to make my server injection proof, and have a log table where I store human readable events. Is it possible to put a sql parameter within the Logtext string? In order to prevent any malicious input to come via the maliciousString?

Dim User as String = "busssard"
Dim Logtext As String = "User performed modification " & maliciousString
myCommand = sqlconnection.CreateCommand()
myCommand.CommandText = "INSERT INTO dbo.Logging ([FK_User],[Change]) Values(@Username, '" & Logtext & "')"
myCommand.Parameters.AddWithValue("@Username",User)

There are workarounds, but i would like not to change too much in the whole DB structure..

CodePudding user response:

Don't use AddWithValue at all. Use Add and ALWAYS specify the size for columns that have one. Do it for both your values. Let's say that FK_User is varchar(50) and Change is nvarchar(max):

myCommand.CommandText = "INSERT INTO dbo.Logging ([FK_User], [Change]) VALUES (@FK_User, @Change)"
myCommand.Parameters.Add("@FK_User", SqlDbType.VarChar, 50).Value = user
myCommand.Parameters.Add("@Change", SqlDbType.NVarChar, -1).Value = logText

Page link:https//www.codepudding.com/Backend/601898.html

Prev:ORACLE SQL, I don't know how to use SUM() here
Next:Oracle delete and update billions of duplicate records from a table
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding