c# - How to prevent a SQL Injection escaping strings -
i have queries (to acccess database) :
string comando = "select * anagrafica e_mail='" + user + "' , password_azienda='" + password + "'"; and i'd "escape" user , password, preventing injection.
how can c# , .net 3.5? i'm searching somethings mysql_escape_string on php...
you need use parameters. dont have preferable.
sqlparameter[] myparm = new sqlparameter[2]; myparm[0] = new sqlparameter("@user",user); myparm[1] = new sqlparameter("@pass",password); string comando = "select * anagrafica e_mail=@user , password_azienda=@pass";
Comments
Post a Comment