Having read Mike Howard's Writing Secure Code in the past I'm deeply
concerned with security, especially when there is commerce involved. I
noticed that I am unable to use parameterized commands though with
CSOLEDB.
Creating an OleDbCommand with the following CommandText:
SELECT [KeyInfo.UserId] FROM [UserObject] WHERE [KeyInfo.UserId] = ?
results in "The ICommandWithParameters interface is not sup****ted by the
'Commerce.DSO' provider. Command parameters are unsup****ted with the
current provider.".
Are there any better approaches? The only way I've managed to get a query
working is as follows:
dbCommand.CommandText = "SELECT [" + propertyName + "] FROM [" +
profileType
+ "] WHERE [" + propertyName + "] = '" + propertyValue.Replace("'", "''")
+
"'";
But that, of course, could be easily be cir***vented as noted in Howard's
book. So I'm left looking to see if anyone else has found a more secure
way
to interface with CSOLEDB?
Thanks,
Colin
