Home
Help
Register
Log in

Search

 
   Active Threads  

You are here: Home > LLBLGen Pro > LLBLGen Pro Runtime Framework> Does LLBLGen escape strings?
 

Pages: 1
LLBLGen Pro Runtime Framework
Does LLBLGen escape strings?
Page:1/1 

  Print all messages in this thread  
Poster Message
Ian
User



Location:
Hertfordshire, UK
Joined on:
01-Apr-2005 16:37:36
Posted:
511 posts
# Posted on: 18-Jan-2018 18:05:17.  
If I'm supplying a string to be used in a LIKE clause, does LLBLGen escape the string such that single quotes, for example, can't break out of the query?

I've found that I can use % in a LIKE clause and it works as an 'anything before' operator.
  Top
Walaa
Support Team



Location:

Joined on:
21-Aug-2005 16:03:48
Posted:
14585 posts
# Posted on: 18-Jan-2018 19:25:06.  
If you are asking about SQL Injection:

All SQL generated by LLBLGen Pro is parameterized. This means that no values are embedded into the SQL query being generated. Due to the parameters, a value can never influence the query being executed, as the value will never be part of the query itself, but just a value of a parameter. The generated code is therefore not vulnerable for SQL injection attacks.

Values passed as parameters (i.e. SqlParameter object) do not need to be escaped.


  Top
Pages: 1  


Powered by HnD ©2002-2007 Solutions Design
HnD uses LLBLGen Pro

Version: 2.1.12172008 Final.