Validating user input
When you construct an application that accesses data, you should assume all user input to be malicious until proven otherwise. Failure to do so can leave your application vulnerable to attack. One type of attack that can occur is called SQL injection. This attack is where malicious code is added to strings that are passed to an instance of SQL Server to be parsed and run. To avoid this type of attack, you should use stored procedures with parameters where possible, and always validate user input.
Validating user input in client code is important so that you don't waste round trips to the server. It's equally important to validate parameters to stored procedures on the server. That way input is caught that bypasses client-side validation.
For more information about SQL injection and how to avoid it, see SQL injection. For more information about validating stored procedure parameters, see Stored procedures and related articles.
See also
משוב
https://aka.ms/ContentUserFeedback.
בקרוב: במהלך 2024, נפתור בעיות GitHub כמנגנון המשוב לתוכן ונחליף אותו במערכת משוב חדשה. לקבלת מידע נוסף, ראה:שלח והצג משוב עבור