Detect SQL Injection

Question

I came to a company that already has a fully grown project... but coders that worked here before me didn\'t follow conventions and didn\'t use parametrized SQL queries... as

Answer 1

You need to check wherever variables are passed in to the SQL strings. For string values, you must you replace every instance of a single quote with a double quote. For non-string values (those that will pass to the SQL unquoted), you must make sure they are strongly typed.

E.g. don't pass something like "SELECT * FROM Users WHERE UserID = " + my_string_user_id. Instead, use code "SELECT * FROM Users WHERE UserID = " + userId_as_int.

This worked back in the day when I had a similar codebase with no parameterized queries at all.