Hi i have a question about using sql statement security , i created a db search in asp.net 2.0 that search in my sql server database and the syntax is : strSQLQuery = "SELECT file_url + ' ' + title AS file_url, title " _ & "FROM Advice " _ & "WHERE title LIKE '%" & Replace(strSearch, "'", "''") & "%' " _ & "ORDER BY title;" if i don't use: Rplace(strsearch," ' " " ' ' " )& "%'"_ is it has affect tomy website security , thanks for any help
You might want to trim a few more characters if injection security is your concern. i.e. Braces and slashes, etc. All the best, Mark
You should use parameterized queriesfor better security(Avoid SQL injection and XSS). See http://www.4guysfromrolla.com/webtech/092601-1.2.shtmlfor more info. Vikram DiscountASP.NET www.DiscountASP.NET
