How Can I Prevent SQL Injection in My C# Application?

Safeguarding Your C# Application from SQL Injection Attacks

SQL injection remains a critical security threat. This article details effective strategies to protect your C# applications from this vulnerability.

Parameterized Queries: The Key to Prevention

The most robust defense against SQL injection is using parameterized queries. The SqlCommand class and its parameter collection handle data sanitization automatically, eliminating the risk of manual error and vulnerability.

Illustrative Example:

The following code snippet showcases the use of parameters in a C# application:

private static void UpdateDemographics(Int32 customerID,
    string demoXml, string connectionString)
{
    // Update store demographics stored in an XML column.
    string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
        + "WHERE CustomerID = @ID;";

    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        SqlCommand command = new SqlCommand(commandText, connection);
        command.Parameters.Add("@ID", SqlDbType.Int);
        command.Parameters["@ID"].Value = customerID;

        // AddWithValue handles implicit XML string conversion by SQL Server.
        command.Parameters.AddWithValue("@demographics", demoXml);

        try
        {
            connection.Open();
            Int32 rowsAffected = command.ExecuteNonQuery();
            Console.WriteLine("RowsAffected: {0}", rowsAffected);
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
    }
}

This example uses parameters for both customerID and demoXml, preventing SQL injection vulnerabilities inherent in manually constructing SQL queries. This method ensures data integrity and application security.

The above is the detailed content of How Can I Prevent SQL Injection in My C# Application?. For more information, please follow other related articles on the PHP Chinese website!