SQL Injection prevention

Posted by simonsabin on SQL Blogcasts See other posts from SQL Blogcasts or by simonsabin
Published on Fri, 14 May 2010 08:31:58 GMT Indexed on 2010/05/14 8:56 UTC
Read the original article Hit count: 289

Filed under:
Just asking people not to use a list of certain words is not prevention from SQL Injection https://homebank.sactocu.org/UA2004/faq-mfa.htm#pp6 To protect yourself from SQL Injection you have to do 1 simple thing. Do not build your SQL statements by concatenating values passed by the user into a string an executing them. If your query has to be dynamic then make sure any values passed by a user are passed as parameters and use sp_executesql in TSQL or a SqlCommand object in ADO.Net...(read more)

© SQL Blogcasts or respective owner