I've got some code that adds a single quote to any ad hoc queries that
appear to look like hacks. For instance, if somebody enters ' OR 1=1 --
then this code adds another single quote the string to neutralize it.
The neutralized string becomes '' OR 1=1 --.
The problem is that when I try to concatenate this string into a SQL
insert statement, the extra single quote is lost. It diskappears! The
hack can then get to the DB.
I tried using Stringbuilder but it has the same effect.
Anybody ever heard of something like this?
~Paul
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!