Dibyajyoti Palata

Dibyajyoti Palata

  • 1.5k
  • 275
  • 14.2k

Hi Team,I am getting SQL Injection issue.Please give some suggestion

Jan 16 2023 7:19 AM
public DataTable GetDataTable(string spname,string parameters)
{
DatatTable dt=new DataTable();
try
{
using(sqlcommand cmd=new sqlcommand("",conn))
{
ArrayList aParams;
string[] avalues=parameters.Split(new String[] {"_"},StringSplitOptions.None);
cmd.CommandType=CommandType.StpredProcedure;
cmd.CommandText=spname;
cmd.CommandTimeOut=Convert.ToInt32(ConfigurationManager.AppSettings[CommandTimeOut]);
aParams=GetParameterList(spname);
for(Int32 i=0;i<aParams.Count;i++)
{
cmd.Parameters.Add(new SqlParameters((String)aParams[i],(String)aValues[i]));
}
conn.Open();
SqlDataReader strReader;
strReader=cmd.ExecureReader();
While(strReader.Read())
{
dt.Rows.Add(strReader[0].ToString());
}
conn.Close();
}
}
Catch(Exception ex)
{
//return ex;
}
return dt;
}

Note: I am getting SQL Injection issue on this line "  strReader=cmd.ExecureReader();".Please give me some suggestion to resolve this SQL Injection issues.


Answers (5)