![]() ![]() These samples all assume that the values being passed into the parameters have been properly validated for datatype, existence, range etc, according to the business rules for the application. ![]() Therefore there is no need to worry about octothorpes (#) or apostrophes for dates, or doubling single quotes in strings. ![]() In addition, parameters do not require delimiters. The main reason for this cannot be over-emphasised in terms of its importance - it protects the application against SQL Injection attacks. Best practice dictates that, at the very least, parameters are used to represent values that are passed into the SQL to be executed, rather than un-sanitised values straight from the user. Making use of the ASP.NET 2.0 datasource controls is fine, but it is important to understand how to manually create data access code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |