Should this be something I need to protect against? Or does llbl gen pro deal with it?

Cheers

Gareth

Every value which is used in a query is stored in a parameter and therefore isn't embedded in the query, so it is impossible to manipulate the query with a value, so sqlinjection is not possible.

Thanks, i did think so, but worth checking!

Every value which is used in a query is stored in a parameter and therefore isn't embedded in the query, so it is impossible to manipulate the query with a value, so sqlinjection is not possible.

Frans

If you don't mind could you explain the above in simpler terms or by giving an example. I don't really understand the above. Sorry for the trouble. Thanks.

SQL Injection is made possible by concatenating a value taken from user-input into your sql query string. Like say if you have a textbox denoting a user's name, without using parameters you would do something like this: string sql = "Select * from Users where Name = '" + tbName.text + "'"; Well, say if I was an attacker I could fill in a sql injection attack there in that textbox and it would work. However, when using parameters, your sql string is composed of something like this: "Select * from Users where Name = @Name" Then in the dynamic query engine, the parameter is passed to the sql server in the same way a parameter is passed to a stored procedure. So instead of reading the sql string verbatim and processing it, it processes the string, then plugs in the appropriate parameter values, preventing processing of any malicious code.

Thanks Trig.

is this also true for filters?

i guess so, but just doublechecking for my boss

Hi, One way to see if the sql statements are injectable or not is to use tools like 'SQL Profiler'. If you don't have any code yet, just use the Northwind example to get started.

HTH,

Uy.

All values are parameterized, or the statement is not supported. So there is no sql injection possible for any filter, as all values are used as parameters.