If I use SubSonic to create DAL for my web project do I need to worry about preventing SQL Injection Attacks?
This depends on how you construct your queries. It is totally possible to write unsafe queries with subsonic if you don't use parameters.
// Bad example:
string sql = "delete from Products where ProductName = " + rawUserInput;
QueryCommand qry = new QueryCommand(sql, Product.Schema.Provider.Name);
DataService.ExecuteQuery(qry);
// Should be:
string sql = "delete from Products where ProductName = @TargetName";
QueryCommand qry = new QueryCommand(sql, Product.Schema.Provider.Name);
qry.AddParamter("@TargetName", rawUserInput, DbType.String);
DataService.ExecuteQuery(qry);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With