Escaping SelectParameters in ASP.NET | ansaurus

tags:

asp.net
sql

views:

46

answers:

1

+1 Q:

Escaping SelectParameters in ASP.NET

I have the following SQLDataSource:

<asp:SqlDataSource ID="topicSource" runat="server" ConnectionString="<%$ ConnectionStrings" 
        SelectCommandType="Text" SelectCommand="SELECT * FROM tbl_Topic WHERE TopicId = @TopicId">
        <SelectParameters>
            <asp:QueryStringParameter Name="TopicId" QueryStringField="id" />
        </SelectParameters>
    </asp:SqlDataSource>

Does ASP.NET escape the select parameter for me? If not, what do I do to make it safer to prevent injections?

+1 A:

Yes: in this case, you are fully protected from SQL injection. That's the whole point for having SQL parameters in this fashion.

Benjamin Pollack 2009-10-15 16:21:02

related questions

Backup SQL Schema Only?

Sql to query a dbs scheme

Timer-based event triggers

Sql query, count and group by

Paging SQL Server 2005 Results

SQL 2005 For XML Explicit - Need help formatting

How do I use T-SQL Group By

What all do I need to escape when sending a (My)SQL query?

Split String in SQL

Datatable vs Dataset

ASP.NET MVC "CRUD" Database Sample

Convert HashBytes to VarChar

Best Book for a new Database Developer

What is the best way to avoid SQL injection attacks?

What language do you use for Postgresql triggers and stored procedures?

What is the best way to handle multiple permission types?

How do I index a database field

Swap unique indexed column values in database.

cx_Oracle - what is the best way to iterate over a result set?

cx_Oracle - How do I access Oracle from Python?

Is there a version control system for database structure changes?

How to export data from SQL Server 2005 to MySQL

ASP.NET Site Maps

Decoding T-SQL CAST in C#/VB.net

Flat File Databases in PHP