Chapter 5. Data in a Web Service

Writing a web service doesn’t have to be a difficult or frustrating experience. I know many people, including myself, who struggled with writing one the first time. The challenge is more around understanding how different data types are returned and then taking care of the data access. I have written a simple example that will give you a great start toward writing one that will meet your needs.

The first thing that I want to cover is something called an SQL Injection Attack. When you are accepting input from users on the Web (really anywhere, but particularly on the Web), you need to be sure that you are taking precautions to avoid an SQL Injection Attack. In basic terms, if you are building an SQL Query String dynamically based on user input, a user can enter in text, end the first statement, then enter in malicious code (drop a table, overwrite data, etc.), and then put in a comment marker that would make SQL Server ignore the rest of the statement.