Which code segment should you use?

You use Microsoft .NET Framework 4 to develop an application that connects to a Microsoft SQL
Server 2008 database. The application contains the following code segment.
stringSQL=string.Format
(“SELECT*FROMCustomerWHERECompanyNameLIKE’%{0}%'”,
companyName);
varcmd=newSqlCommand(SQL,con);
You need to reduce the vulnerability to SQL injection attacks. Which code segment should you use?

A.
stringSQL=”SELECT * FROMCustomerWHERE” +

“CompanyNameLIKE@companyName”;
varcmd=newSqlCommand(SQL,con);
cmd.Parameters.AddWithValue(“@companyName”,
string.Format(“%{0}%”,companyName));

B.
stringSQL=”SELECT * FROMCustomerWHERE” +
“CompanyNameLIKE@companyName”;
varcmd=newSqlCommand(SQL,con);
varparam=newSqlParameter(“@companyName”,
string.Format(“%{0}%”,companyName));

C.
stringSQL=string.Format(“SELECT*FROM” +
“CustomerWHERECompanyNameLIKE{0}”,
newSqlParameter(“@companyName”,
string.Format(“%{0}%”,companyName)));
varcmd=newSqlCommand(SQL,con);

D.
stringSQL=”SELECT * FROMCustomer@companyName”;
varcmd=newSqlCommand(SQL,con);
cmd.Parameters.AddWithValue(“@companyName”,
string.Format(“WHERECompanyNameLIKE’%{0}%'”,
companyName));

Explanation:
SqlParameterCollection.AddWithValue Method
(http://msdn.microsoft.com/enus/library/system.data.sqlclient.sqlparametercollection.addwithvalue.aspx)

Show Hint

← Previous question

Next question →