Building SQL Statements Securely
Building SQL strings in code is problematic. A simple way to remedy this is to leave the completion of the SQL string to the database and to not attempt the SQL string construction in your code. You can do this in two ways. The first is to pass the input of the user to a stored procedure; SQL Server supports stored procedures.
If your Web application uses open database connectivity (ODBC) and you want to use parameters, you need to use the SQLNumParams and SQLBindParam functions. If you use OLE DB, you can use the ICommandWithParameters interface.
Copyright © 2005 Microsoft Corporation.
All rights reserved.