PrepAway - Latest Free Exam Questions & Answers

Which code segment should you use?

You use Microsoft Visual Studio 2010 and .NET Framework 4.0 to create an application.
The application connects to a Microsoft SQL Server 2008 database. The application contains the following code segment.

string SQL = string.Format(SELECT * FROM Customer WHERE CompanyName LIKE %{0}%, companyName);
var cmd = new SqlCommand(SQL, con);

You need to reduce the vulnerability to SQL injection attacks. Which code segment should you use?

PrepAway - Latest Free Exam Questions & Answers

A.
string SQL = �SELECT * FROM Customer Where � + �CompanyName LIKE @companyName�;
var cmd = new SqlCommand(SQL,con);
cmd.Parameters.AddWithValue(�@companyName�, string.Format(�%{0}%�, companyName));

B.
string SQL = �SELECT * FROM Customer Where � + �CompanyName LIKE @companyName�;
var cmd = new SqlCommand(SQL,con);
var param = new SqlParameter (�@companyName�, string.Format(�%{0}%�, companyName));

C.
string SQL = string.Format(�SELECT * FROM � + � Customer Where CompanyName LIKE {0}�,
new SqlCommand(�@companyName�, string.format(�%{0}%�, companyName)));
var cmd = new SqlCommand(SQL, con);

D.
string SQL = �SELECT� * FROM Customer @companyName;
var cmd = new sqlcommand(SQL,con);
cmd.Parameters.AddWithValue(�companyName�, string.format(�where companyName LIKE �%{0}%��, companyName));

Explanation:
SqlParameterCollection.AddWithValue Method
(http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparametercollection.addwithvalue.aspx)


Leave a Reply