views:

42

answers:

1

Hello, i have some WinForms app (Framework to develop some simple apps), written in C#. My framework later would be used to develop win forms applications. Other developers they are beginers often and sometimes do not use Parameters - they write direct SQL in code. So first i need somehow to do protection in my framework base classes in C#. I have some basse class, which performs all the SQL action so i think i can put here some checking, before executing queries... How i can get protection in C# against direct SQL..? Some example would be very usefull.

+4  A: 

If your colleagues are writing out their SQL statements, there's no guaranteed/realistic way you can protect against SQL injection except to protect against it manually using parameters in all queries. Even providing a mechanism in your framework isn't a perfect solution since you can still get around it by simply ignoring it (or forgetting to use it).

Instead of rolling your own framework, consider using an ORM such as NHibernate, which takes care of this issue for you (and you don't have to write SQL statements yourself most of the time).

Jon Seigel