Can System.Data.DataRow used for SQL injection?

296 Views Asked by kovacs lorand At 29 August 2022 at 15:06

I am aware that for SqlCommand I have to use SqlParameter when passing parameters to the query, to avoid SQL injection. But what about the DataRow? For example:

row.UserComment = tbUserComment.Text;

Here "row" is a System.Data.DataRow that will be saved to the DB with an SqlDataAdapter. And "tbUserComment.Text" is an ASP.NET TextBox that is filled by the user. Can this be used for SQL injection? If yes, then what can I do to prevent it?

Original Q&A

There are 1 best solutions below

Bron Davies On 29 August 2022 at 15:16 BEST ANSWER

See in this documentation: https://learn.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqldataadapter?view=dotnet-plat-ext-6.0

The InsertCommand, DeleteCommand, and UpdateCommand are generic templates that are automatically filled with individual values from every modified row through the parameters mechanism.

So this will automatically parameterize the DataRow meaning there should be no possibility of SQL injection if this pattern is adhered to.

Can System.Data.DataRow used for SQL injection?

There are 1 best solutions below

Related Questions in C#

Related Questions in ADO.NET

Related Questions in SQL-INJECTION

Related Questions in DATAROW

Trending Questions

Popular # Hahtags

Popular Questions