I am using SQL Server 2005, I have some select and update statements in my query with WHERE clause
I want to prevent these queries from SQL injection attacks.
What are the steps and precautions to be taken for SQL Injection attacks?
Does anybody have suggestions?
Thanks in advance,
Use stored procedures and pass the data you need to update as parameters.
The common method is to use regular expressions against the text that will be used in the where clause. The initial poster is correct in that stored procedures and parameters will stop this, but, if you are going to execute a sting built in the stored procedure you are still susceptible to an injection attack.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.