// GET: SqlInjection/ReadOnlyUser?CategoryId=1 // Use parameterized SQL queries public IActionResult ReadOnlyUser(string categoryId) { var connectionString = configuration.GetConnectionString("NorthWindReadOnly"); INorthWindRepository northwindRepo = new NorthWindRepositoryUnsafe(connectionString); var products = northwindRepo.LoadProducts(categoryId); ViewData["url"] = WebUtility.UrlDecode(Request.Path.ToString() + (Request.QueryString.HasValue ? Request.QueryString.Value : string.Empty)); return(View("Index", products)); }
// GET: SqlInjection/InputValidation?CategoryId=1 // Use an input view model to validate input public IActionResult InputValidation(ProductCategoryViewModel productCategory) { if (ModelState.IsValid) { string categoryId = productCategory.CategoryId; var connectionString = configuration.GetConnectionString("NorthWindReadWrite"); INorthWindRepository northwindRepo = new NorthWindRepositoryUnsafe(connectionString); var products = northwindRepo.LoadProducts(categoryId); ViewData["url"] = WebUtility.UrlDecode(Request.Path.ToString() + (Request.QueryString.HasValue ? Request.QueryString.Value : string.Empty)); return(View("Index", products)); } else { return(BadRequest()); } }