But is the whitelist/blacklist filtering really aimed something else, like cross-site-scripting?
I've expanded my example below. Thanks. On May 10, 5:59 am, Cerebrus <[email protected]> wrote: > Assuming you intend to set the parameter via code, it helps to know > that the SqlParameter class has some built in validation directed > towards Sql Injection, but Steve's warning still holds. In a high > security scenario, no amount of validation can be termed "sufficient", > but you can surely put in measures that will help you sleep soundly at > night (or day, depending on your inclination. > > On May 16, 3:03 pm, Davej <[email protected]> wrote: > Dim str As String > Dim name As String = "Cerebus" > > str = "SELECT * " & _ > "FROM EMPLOYEE " & _ > "WHERE LastName = @LName " > > Dim cmd As New SqlCommand(str, con) > cmd.Parameters.AddWithValue("LName", name) > > > On May 2, 2:34 am, Cerebrus <[email protected]> wrote: > > > > Define "parameterized string". > > > > On Apr 29, 9:58 pm, Davej <[email protected]> wrote: > > > > > Can parameterized strings still be vulnerable to SQL injection? -- You received this message because you are subscribed to the Google Groups "DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/dotnetdevelopment?hl=en?hl=en or visit the group website at http://megasolutions.net
