1
I am developing an application in MVC-5 and read several articles about SQL Injection.
I wonder if I have to take any security measures or modify my selects commands, or if in fact the MVC-5 already has shielding against this situation.
Throughout my project I am using the format below to select data from my tables:
string query = "SELECT * FROM TABELA WHERE CHAVE = '"+CH+"'";
using (var connection = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString))
using (var command = new SqlCommand(query, connection))
{
connection.Open();
using (var reader = command.ExecuteReader())
This code has nothing of ASP.Net MVC. But it is totally susceptible to injection of anything. I think the question is very broad and would need more focus. If you use MVC correctly, if you use ADO.Net or EF or other access mechanism correctly, then you will not have SQL Injection problems. Script Injection depends on other factors. See if you find anything useful. http://answall.com/search?q=sql+injection But I would advise a more structured study on software development as a whole.
– Maniero
I believe that one way to prevent is by using stored procedures or Orms (with low performance compared to stored).
– Wilson Santos
Storedprocedure?? Ado.net has had Feature for years of Addparameter that already solves this sql Injection problem.
– jaspion