Escaping SelectParameters in ASP.NET

Question

Escaping SelectParameters in ASP.NET

I have the following SQLDataSource

:

<asp:SqlDataSource ID="topicSource" runat="server" ConnectionString="<%$ ConnectionStrings" 
        SelectCommandType="Text" SelectCommand="SELECT * FROM tbl_Topic WHERE TopicId = @TopicId">
        <SelectParameters>
            <asp:QueryStringParameter Name="TopicId" QueryStringField="id" />
        </SelectParameters>
    </asp:SqlDataSource>

Is ASP.NET a parameter select

for me? If not, what am I doing to make it safer to prevent injection?

+2

sql asp.net

Funky dude 15 oct. 09 at 16:16

source to share

1 answer

Benjamin pollack · Accepted Answer · 2009-10-15T16:21:02+0000

Yes: in this case, you are completely protected from SQL injection. It's all about having SQL options like this.

Escaping SelectParameters in ASP.NET

More articles: