Dim strname As String
Dim myname As String
myname = My.User.Name
strname = "INSERT INTO [Item Conversion Header Table]([InitiatorName])VALUES(" & myname & ")"
How do I do the syntax correctly for it to be inserted into my SQL Server correctly?
Thanks,
Tom
I'm not going to answer your question directly because what you are doing is a great security risk. You risk your database coming under a SQL Injection attack so I am not going to give you the quick fix. I am going to tell you how to fix your code AND plug the gaping security hole that you have.
Your code injects the string myname directly into the SQL statement. This should be replaced with a parameter so that the attack surface of the application is reduced.
strname = "INSERT INTO [Item Conversion Header Table]([InitiatorName])VALUES(@.myname)"
Dim cmd as SqlCommand
cmd = New SqlCommand(strname, connection)
cmd.Parameters.Add("@.myname", myname)
cmd.ExecuteNonQuery()
I have replaced your injection with a parameter name (@.myname). Then in the command object I add a parameter with the same name and give it the value it needs.
Finally, here is an article aboutSQL Injection attacks and how to prevent them.
Forgot the single '. Use following statement.
strname = "INSERT INTO [Item Conversion Header Table]([InitiatorName])VALUES('" & myname & "')"
Thanks,
Ram|||
potturi_rp wrote:
Om Sri Sai Ram
Forgot the single '. Use following statement.
strname = "INSERT INTO [Item Conversion Header Table]([InitiatorName])VALUES('" & myname & "')"
Thanks,
Ram
Thats the same thing I had.
But I follow on not using the pure injection method.
Thanks,
Tom
No comments:
Post a Comment