sql injection - Is my code hackable or secure enough? -
i wonder if app injectable in front end form, url or in other way.
frontend:
<form id="form1" runat="server"> <asp:hyperlink id="hyperlinkback" runat="server" navigateurl="~/default.aspx">go back</asp:hyperlink> <h3> service locations</h3> <table > <tr> <td><asp:label id="lblfiltervalue" text="filter value :" runat="server"></asp:label></td> <td><asp:textbox id="txtfiltervalue" runat="server"></asp:textbox></td> <td> </td> <td> <asp:label id="fieldlist" runat="server" text="filter :"></asp:label> </td> <td> <asp:dropdownlist id="drpfields" runat="server"></asp:dropdownlist> </td> </tr> </table> <br /> <asp:button id="btnreset" runat="server" text="reset" onclick="btnreset_click" /> <asp:button id="btnsearch" runat="server" text="search" onclick="btnsearch_click" /> </form>
codebehind:
public static datatable getlocationfilter(string sfie6ld, string svalue) { datatable dtdata = new datatable(); sqlconnection conn = new sqlconnection(configurationmanager.connectionstrings["locations"].connectionstring); sqlcommand comm = new sqlcommand("usp_selectlocations", conn); sqldataadapter da = new sqldataadapter(comm); comm.commandtype = commandtype.storedprocedure; comm.parameters.add(new sqlparameter("@svalue", svalue)); da.fill(dtdata); return dtdata; }
sp:
alter procedure [dbo].[usp_selectlocations] @svalue varchar(250) select * locations title @svalue + '%' or division @svalue + '%' or locationtype @svalue + '%'
Comments
Post a Comment