User1052662409 posted
Hi All,
I always use parameterized query for my CRUD operations like below to prevent SQL Injection.
Update tbluser Set Username =@Username.... so on
// some code goes here
command.Parameters.AddWithValue("@Username", txtUsername.Text);
That works fine.
Actually I was in a conversation on "SQL Injection". And I found that some one is saying we can have a shortcut method for SQL Injection, even we don't need do parameterized query.
[And he was using CRUD operation like below]
Update tbluser Set Username ='"+txtUsername.Text+"'.... so on
I was shocked that what is that. Then I asked him, how can we achieve this without using parameterized query? He said we can set this in its own webconfig file (with inline query ). After that conversation ends.
I get back to my place and tried to find out some way to by pass parameterized query using webconfig file with inline query. But unfortunately I did not find.
Did anybody use that webconfig method? Or is there any setting regarding parameterized query in webconfig which can handle SQL Injection for whole web application.
Please give your inputs / suggestions.