Never pass any value received as a user input to the Control Channel i.e in Command Object in ADO.NET, always build a parameter list i.e. Data Channel. This way one can avoid sql injection.
I.e. if some malicious user passes a drop table statement to the input it won't get executed.
No comments:
Post a Comment