| Colin Bowern 2005-08-23, 5:52 pm |
| Having read Mike Howard's Writing Secure Code in the past I'm deeply
concerned with security, especially when there is commerce involved. I
noticed that I am unable to use parameterized commands though with CSOLEDB.
Creating an OleDbCommand with the following CommandText:
SELECT [KeyInfo.UserId] FROM [UserObject] WHERE [KeyInfo.UserId] = ?
results in "The ICommandWithParameters interface is not supported by the
'Commerce.DSO' provider. Command parameters are unsupported with the
current provider.".
Are there any better approaches? The only way I've managed to get a query
working is as follows:
dbCommand.CommandText = "SELECT [" + propertyName + "] FROM [" + profileType
+ "] WHERE [" + propertyName + "] = '" + propertyValue.Replace("'", "''") +
"'";
But that, of course, could be easily be circumvented as noted in Howard's
book. So I'm left looking to see if anyone else has found a more secure way
to interface with CSOLEDB?
Thanks,
Colin
|