Some misunderstandings about SQL Injection

There are five misunderstandings:
1. SQL injection is difficult to prevent. A dozen characters, such as select and delete, need to be replaced.
In fact, it is better to replace the character type with no single quotation marks! It is useless to replace the numeric type. You must convert the numeric type.
2. Ignore what comes from DropDownList
In fact, it is wrong. Everything on the client is untrusted, and so is the select drop-down box! Because you can submit an htm to the server by yourself.
3. access is less secure than SQL Server
The key to security and insecurity is how to use it. If sqlserver is still used like access, a sa account, it is obvious that sqlserver is less secure than access, and you can directly get the table name and field name! Access is more secure, because it can only be obtained by bit-by-bit guesses.
 
4. If no error message is displayed on the website, the website is secure.
When a record exists, the record is displayed. If no record exists, the record is displayed.
 
 
No records can be found. You can use these two statuses to guess the keywords.
 
Segment name. Therefore, it cannot be specified that the webpage is secure
 
 
5. Ignore post submission information
Many people strictly filter the content transmitted on the url. It is not correct to ignore post content. post content is easier to be injected because there are many fields.
 
In asp.net, we strongly recommend that you use parameters to implement SQL statements instead of SQL concatenation, because even if you filter hundreds of passwords
For example:
SqlConnection conn = new SqlConnection (System. Configuration. ConfigurationSettings. deleettings ["conn"]);
SqlCommand comm = new SqlCommand ("update tb1 set vName = @ vName, iAge = @ iAge where ID = @ id", conn );
SqlParameter parm1 = new SqlParameter ("@ vName", SqlDbType. NVarChar, 50 );
Parm1.Value = (TextBox) e. Item. FindControl ("name"). Text;
SqlParameter parm2 = new SqlParameter ("@ iAge", SqlDbType. Int );
Parm2.Value = (TextBox) e. Item. FindControl ("age"). Text;
SqlParameter parm3 = new SqlParameter ("@ id", SqlDbType. Int );
Parm3.Value = this. DataGrid1.DataKeys [e. Item. ItemIndex];
Comm. Parameters. Add (parm1 );
Comm. Parameters. Add (parm2 );
Comm. Parameters. Add (parm3 );
Conn. Open ();
Comm. ExecuteNonQuery ();
Conn. Close ();
 
This code looks comfortable and safe. Why?