Re: New to C# - DB question
- From: "Marc Gravell" <marc.gravell@xxxxxxxxx>
- Date: Fri, 18 Aug 2006 08:49:57 +0100
Some security advice;
A: don't ever store passwords (even cyphered) unless you **really** nead to.
Perhaps hash them and compare hashes... and use a known hash (MD5 or
similar), not the CLR GetHashCode(), as that is implementation specific.
B: don't use string concatenation to place parareters into a SQL string -
you should be using the parameters collection instead (along with whichever
syntax is suitable in your SQL, for instance "?" or "@SomeParam" etc - refer
to documentation).
Firstly, you will run into trouble with the O'Neil's of this world. More
importantly, the reason for this is the simple trick of SQL-injection: for
instance, I could enter (as my user id on the form):
Fred' SELECT * FROM sysobjects --
or about 1000 other things (DROP TABLE... SELECT username, password...); you
can waste a lot of time trying to protect yourself by escaping characters
such as quotes, but the parameters approach deals with it all *much* more
efficiently, robustly and safely.
Best of luck,
Marc
.
- Follow-Ups:
- Re: New to C# - DB question
- From: heddy
- Re: New to C# - DB question
- References:
- New to C# - DB question
- From: hedbonker
- Re: New to C# - DB question
- From: Steven Nagy
- Re: New to C# - DB question
- From: heddy
- New to C# - DB question
- Prev by Date: Re: TreeNode.ShowCheckBox
- Next by Date: Re: custom MessageBox help
- Previous by thread: Re: New to C# - DB question
- Next by thread: Re: New to C# - DB question
- Index(es):
Relevant Pages
|
Loading
