[CasiOo]

I am using my SqlDataSource to execute queries against my MySQL database.
Will it be possible to do SQL injection when I add parameters like below? I am unsure because I never specify a DbType of the parameter (because I need MySQL types)

            SqlDataSource.SelectCommand = "SELECT id, name, thumbnail FROM dishes WHERE foodCategoryID=?";
            Parameter parameter = new Parameter();
            parameter.DefaultValue = "1"; //This value will come from the query string when made correctly
            SqlDataSource.SelectParameters.Add(parameter);
            CatalogListView.DataBind();

This post has been edited by CasiOo: 27 July 2012 - 09:13 AM

[modi123_1]

Quote

Use type-safe SQL parameters for data access. You can use these parameters with stored procedures or dynamically constructed SQL command strings. Parameter collections such as SqlParameterCollection provide type checking and length validation. If you use a parameters collection, input is treated as a literal value, and SQL Server does not treat it as executable code. An additional benefit of using a parameters collection is that you can enforce type and length checks. Values outside of the range trigger an exception. This is a good example of defense in depth.

http://msdn.microsof...y/ff648339.aspx

MS prefers you specify the datatype.. you should be able to do that and be fine..

[CasiOo]

I tried specifying a datatype before but I got an error saying wrong odbc type. I thought it was cause of MySQL datatypes.

Now I tried again and it worked.... guess I just entered the wrong one

thanks

Edit:
Yeah I think I used uint for: foodCategoryID INTEGER UNSIGNED NOT NULL
It should have been Int64

This post has been edited by CasiOo: 27 July 2012 - 02:27 PM

[Nakor]

here is a MySQL connector for .net. it includes a mysqldatasource if I remember right. If not it still makes working with MySQL in your code pretty simple.

Here's the documentation page for it

This post has been edited by Nakor: 27 July 2012 - 03:09 PM