Archives
-
SQL Injection
Considering SQL injection attacks (and not performance reasons) what is difference between the two examples below? Taking the two examples into consideration I dont understand how using a SP is any safer against attacks?
MySql = "SELECT field1 FROM table1 WHERE field2 = @search"
MyCommand = New SqlCommand(MySql, MyConnection)
Dim sp As SqlParameter = new SqlParameter
sp = MyCommand.Parameters.Add("@search",SqlDbType.VarChar)
sp.Value = Request.QueryString("search")