Does this code prevent SQL injection?

Question

Background

I\'ve been contracted to analyze an existing Data Provider and I know the following code is faulty; but in order to point out how bad it is, I need to pr

Answer 1

This MSDN article covers most of the stuff you need to look out for (I'm afraid to say all when it comes to SQL injection).

But I will echo everyone else's sentiment of parameters parameters parameters.

As for your example some gotchas [Edit: Updated these]:

• wouldn't the string "1 OR 1=1" allow the user to get back everything

• or worse "1; drop table sometablename"

According to the article you want to check for:

; - Query delimiter.

' - Character data string delimiter.

-- - Comment delimiter.

/* ... / - Comment delimiters. Text between / and */ is not evaluated by the server.

xp_ - Used at the start of the name of catalog-extended stored procedures, such as xp_cmdshell.