Re: sql escaping

Aaron Bockover a écrit :
> Using String.Format to construct a query with parameters is very
> incorrect, for this very reason (and often if escaping is not done
> properly, it can lead to security issues). While in applications like
> F-Spot and Banshee, using String.Format is okay in many situations,
> using the following method of command construction is critical for when
> strings are parameters (as you have just run into).
> [...]
> Granted, doing that manually is highly annoying. In Banshee I have a
> utility layer to make constructing proper parameter commands much
> simpler. Either way, this should solve the escaping issue.

Indeed, using the Banshee helper is as easy as using String.Format()

(well if it is actually a correct fix..)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]