Hi Mike,
I think John's suggestion is quite reasonable, in the sql statement ,some
characters are not allowed in it ,such as the single quote ' , and
generally we have to replace it with other char. If we use the sqlcomand 's
parameters to set the value, it'll automatically replace for us. Also, use
parameters is has more to do on security as John has mentiond. And here is
another tech article in MSDN discussing on this:
#Secure ADO.NET Coding Guidelines
http://msdn.microsoft.com/library/en...readonetcoding
guidelines.asp?frame=true
Hope also helps. Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx