sanitization

There's like a million Q&A that explain the options like FILTER_FLAG_STRIP_LOW , but what does FILTER_SANITIZE_STRING do on its own, without any options? Does it just filter tags? According to PHP Manual : Strip tags, optionally strip or encode special characters. According to W3Schools : The FILTER_SANITIZE_STRING filter strips or encodes unwanted characters. This filter removes data that is potentially harmful for your application. It is used to strip tags and remove or encode unwanted characters. Now, that doesn't tell us much. Let's go see some PHP sources. ext/filter/filter.c : static

To start this off, I am well aware that parameterized queries are the best option, but I am asking what makes the strategy I present below vulnerable. People insist the below solution doesn't work, so I am look for an example of why it wouldn't. If dynamic SQL is built in code using the following escaping before being sent to a SQL Server, what kind of injection can defeat this? string userInput= "N'" + userInput.Replace("'", "''") + "'" A similar question was answered here , but I don't believe any of the answers are applicable here. Escaping the single quote with a "\" isn't possible in SQL

I am generating some Dynamic SQL and would like to ensure that my code is safe from SQL injection . For sake of argument here is a minimal example of how it is generated: var sql = string.Format("INSERT INTO {0} ({1}) VALUES (@value)", tableName, columnName); In the above, tableName , columnName , and whatever is bound to @value come from an untrusted source. Since placeholders are being used @value is safe from SQL injection attacks, and can be ignored. (The command is executed via SqlCommand.) However, tableName and columnName cannot be bound as placeholders and are therefor vulnerable to