Is this query safe from sql inject?

Asked Feb 25 '16 at 22:08

Active Feb 25 '16 at 22:08

Viewed 45 times

This code looks fairly parameterized to me. I'm assuming this code is safe from a drop database command. Am I incorrect? Is there a better way to build queries with vb?

fname = A
lname = B
name = AB

SQL = "INSERT into [mydb].[db].[Table Name] (FName,LName,Name)"
SQL = SQL & "Values ('" & fname & "','" & lname & "','" & name)

'Execute SQL statement.
dbConn.Execute(SQL)

asked Feb 25 '16 at 22:08

user2133925

4

No, this query is not parametrized and is not safe. Please see http://stackoverflow.com/q/332365/11683 – GSerg Feb 25 '16 at 22:10
1

look at http://stackoverflow.com/questions/4018174/preventing-sql-injection-in-asp-net – meet thakkar Feb 25 '16 at 22:10
5

No, this code is not parameterized. What happens if you set `A="1','2','3'); drop database MYDBNAME; --"` ? – Blorgbeard Feb 25 '16 at 22:11
2

Also, your final paren isn't a string literal and would cause a syntax error. But that's just FYI. Don't fix it. Make the query parameterized as the others have said. – Bob Kaufman Feb 25 '16 at 22:14
2

As long as you're building a query by string concatenation you're practically *always* vulnerable to SQL injection. – Ansgar Wiechers Feb 25 '16 at 22:15
@meetthakkar ADO.Net and ADO are not the same. – user692942 Feb 26 '16 at 11:21

Is this query safe from sql inject?

0 Answers0