thugster69
Active member
- Joined
- Jun 17, 2010
- Messages
- 35
- Programming Experience
- Beginner
Hey guys,
I recently discovered that my SQL statement is prone to simple SQL injections like typing " ';" or " ' " without quotations..
My first remedy for this was to include a REGEX.replace statement to the code:
But, having a lot of Textboxes, to which a user can type the said Injection, It will be a waste of code-space and time to code all of them with a single REGEX.REPLAY each..
I'm searching for a more efficient way on handling this error.. I hope you can help me on this.
Thanks!
I recently discovered that my SQL statement is prone to simple SQL injections like typing " ';" or " ' " without quotations..
My first remedy for this was to include a REGEX.replace statement to the code:
VB.NET:
Dim [B]strUsernameRegex[/B] As String = Regex.Replace(txtUsername.Text, "[^0-9a-zA-Z ]+?", "")
Dim[B] strPasswordRegex[/B] As String = Regex.Replace(txtPassword.Text, "[^0-9a-zA-Z ]+?", "")
Dim sqlcomm As New SqlClient.SqlCommand( _
"USE master_db" & vbCrLf & _
"SELECT * FROM [users_table] WHERE username='" & [B]strUsernameRegex[/B] & "' AND password='" & [B]strPasswordRegex[/B] & "';", sqlconn)
But, having a lot of Textboxes, to which a user can type the said Injection, It will be a waste of code-space and time to code all of them with a single REGEX.REPLAY each..
I'm searching for a more efficient way on handling this error.. I hope you can help me on this.
Thanks!