You use Microsoft .NET Framework 4 to develop an application that connects to a Microsoft SQL
Server 2008 database. The application contains the following code segment.
Dim SQL As String = String.Format(
“SELECT * FROM Customer WHERE CompanyName LIKE ‘%{0}%'”,
companyName)
Dim cmd = New SqlCommand(SQL, con)
You need to reduce the vulnerability to SQL injection attacks. Which code segment should you use?
A.
Dim SQL As String = “SELECT * FROM Customer WHERE ” &
“CompanyName LIKE @companyName”
Dim cmd = New SqlCommand(SQL, con)
cmd.Parameters.AddWithValue(“@companyName”,
String.Format(“%{0}%”, companyName))
B.
Dim SQL As String = “SELECT * FROM Customer WHERE ” &
“CompanyName LIKE @companyName”
Dim cmd = New SqlCommand(SQL, con)
Dim param = New SqlParameter(“@companyName”,
String.Format(“%{0}%”, companyName))
C.
Dim SQL As String = String.Format(“SELECT * FROM ” &
“Customer WHERE CompanyName LIKE {0}”,
New SqlParameter(“@companyName”,
String.Format(“%{0}%”, companyName)))
Dim cmd = New SqlCommand(SQL, con)
D.
Dim SQL As String = “SELECT * FROM Customer @companyName”
Dim cmd = New SqlCommand(SQL, con)
cmd.Parameters.AddWithValue(“@companyName”,
String.Format(“WHERE CompanyName LIKE ‘%{0}%'”,
companyName))
Explanation:
SqlParameterCollection.AddWithValue Method
(http://msdn.microsoft.com/enus/library/system.data.sqlclient.sqlparametercollection.addwithvalue.aspx)