CRV2 SQLInjdotNET

.NET Parameter collections such as SqlParameterCollection provide type checking and length validation. If you use a parameters collection, input is treated as a literal value, and SQL Server does not treat it as executable code, and therefore the payload can not be injected. Using a parameters collection lets you enforce type and length checks. Values outside of the range trigger an exception. Make sure you handle the exception correctly. Example of the SqlParameterCollection:

using System.Data; using System.Data.SqlClient; using (SqlConnection conn = new SqlConnection(connectionString)) { DataSet dataObj = new DataSet; SqlDataAdapter sqlAdapter = new SqlDataAdapter( "StoredProc", conn); sqlAdapter.SelectCommand.CommandType = CommandType.StoredProcedure; //specify param type sqlAdapter.SelectCommand.Parameters.Add("@usrId", SqlDbType.VarChar, 15); sqlAdapter.SelectCommand.Parameters["@usrId "].Value = UID.Text; // Add data from user sqlAdapter.Fill(dataObj); // populate and execute proc }