1
Vote

SQL Injection Open

description

I just started a quick review or your codebase and immididately noticed the following in
 
ViewHtml.aspx.cs
 
        string index = Request.QueryString["index"];
... other code ...
        string SqlString = "SELECT Newsletters.*, NewsletterLists.lid FROM Newsletters " +
            "INNER JOIN NewsletterLists ON Newsletters.Id = NewsletterLists.nid WHERE Newsletters.Id=" + index + ";";
 
You really should start early, at least, using parameterized queries instead of building your strings out with queries.

comments