Originally posted by: RedSquirrel
Originally posted by: Markbnj
A filter function could remove illegal characters and check for invalid syntax, but it could not protect against SQL injection attacks. It doesn't know what your intent is. SELECT UserId, Password FROM User WHERE Login IS NOT NULL" looks the same to it as any other SQL syntax.
If the bulk of your query is the same on every execution, saving only that you substitute values, then parameterize it. If the queries contain arguments that are supplied by the user interactively, then definitely parameterize them. If they are different every time, as in an ad hoc query tool, then you have to take a different approach.
I would just filter the data that actually goes in the field ex: UPDATE table set field='text';
I would just pass text through the filter. The reason I need to go this way is I need to have access to the final string. When using parameterized queries I don't have that access. I have various debugging systems that need to know the exact strings going in the DB which makes it tons easier to debug if something goes wrong, as this is in middle of development stage, so things will go wrong.
If there's some kind of way to get the final string, then maybe it will work. But really is it that hard to get a list of bad chars in UTF16 and how to properly escape them? That would be a hell of allot easier to do. I know there is a special quote that is oposite of ` but not sure of others.