TalesFromTheSmellySide(Of Code) – Episode #2 – SQL Injection Infection
Just so folks don’t think I’m coming off as elitist with my [new
little series](http://joeydotnet.com/blog/archive/2007/10/29/talesfromthesmellysideltcodegt—episode-1.aspx), here’s an oldie but a goodie from yours truly on **my
first .NET project way back in early 2002.** (And really, my first real
programming project, since my previous life was mainly doing
And this is VB, folks.
cmd.CommandText = "UPDATE ATT_Circuits SET " & strField & "='" & strControlText.Replace("'", "") & "' WHERE Hostname='" & txtHostname.Text & "'"
Ok, so I don’t think I really need to point out all the embarrassing problems
in this one line of code. Obviously it should be parameterized and that
Hungarian notation just gives me the willies. Oh and did I mention that I had
this in right in the code behind for a web form? Eeek!
In my defense, at the time (and some would say this is still the case),
that’s what Microsoft was encouraging. Back then I didn’t know any better. But
thankfully the many evening and late night hours I’ve spent over the past 5
years has allowed me to learn much better ways of building software. <insert
thank you to my wife here /> Of course, this process seems to never cease!
**Anyone else brave enough to share smells from their first software