From the course: Security in ASP.NET Core

Unlock this course with a free trial

Join today to access over 24,800 courses taught by industry experts.

SQL injection with ADO.NET

SQL injection with ADO.NET - ASP.NET Tutorial

From the course: Security in ASP.NET Core

Start my 1-month free trial Buy for my team

SQL injection with ADO.NET

- [Instructor] If you remember the OWASP Top 10 list we covered earlier, in the history of that list, SQL Injection has been in the top spot for many, many years. Situation is getting a little bit better now, but it's still a dangerous attack. But to be honest, hard to pull off with ASP.NET Core. Essentially there are two main options. One is to use ADO.NET that was part of .NET framework back then, but can also be used in new .NET, so also in ASP.NET Core applications. And essentially you have an SQL command and then you run this command. And if you're reading out data, you do execute reader, but there are other options as well. And for many decades, the SQL then looked something like this. It was created using string concatenation, which is not such a good idea when id say would be something like 42 semicolon drop table articles. That's not a command we'd like to send to our database. So, bad idea. In SQL, we have commands and data in the same string. So if we're doing string…

Contents