Does this code prevent SQL injection?

Question

Background

I\'ve been contracted to analyze an existing Data Provider and I know the following code is faulty; but in order to point out how bad it is, I need to pr

Answer 1

You are trying to black list characters to implement your own version of SQL Escaping. I would suggest reviewing this URL - SQL escaping is not necessarily the worst choice (i.e. quickly fixing existing apps) but it needs to be done right to avoid vulnerabilities.

That URL links to another page for escaping in SQL Server where the author gives suggestions that help you avoid vulnerabilities without limiting functionality.

If it helps, the articles suggest escaping braces too (I call them square brackets - but []).