TalesFromTheSmellySide(Of Code) – Episode #2 – SQL Injection Infection

2 November, 2007. It was a Friday.

Just so folks don’t think I’m coming off as elitist with my [new

little series](http://joeydotnet.com/blog/archive/2007/10/29/talesfromthesmellysideltcodegt—episode-1.aspx), here’s an oldie but a goodie from yours truly on **my

first .NET project way back in early 2002.** (And really, my first real

programming project, since my previous life was mainly doing

scripting/automation.)

And this is VB, folks. (Notice the title change?)

cmd.CommandText = "UPDATE ATT_Circuits SET " & strField & "='" & strControlText.Replace("'", "") & "' WHERE Hostname='" & txtHostname.Text & "'"

Ok, so I don’t think I really need to point out all the embarrassing problems

in this one line of code. Obviously it should be parameterized and that

Hungarian notation just gives me the willies. Oh and did I mention that I had

this in right in the code behind for a web form? Eeek!

In my defense, at the time (and some would say this is still the case),

that’s what Microsoft was encouraging. Back then I didn’t know any better. But

thankfully the many evening and late night hours I’ve spent over the past 5

years has allowed me to learn much better ways of building software. <insert

thank you to my wife here /> Of course, this process seems to never cease!

😐

**Anyone else brave enough to share smells from their first software

projects? 😀**

← TalesFromTheSmellySide<Code> – Episode #1

Principles and Patterns over Tools and Frameworks →