Need to double inverted commas if using parameters?

[Jon Maz]

Hi,

A quick one:

If you are forming a dynamic sql statement using parameters from a web form,
you would normally double up any single inverted commas inputted by the user
to stop sql injection. But if you are using command parameters to build the
sql statement (as below), is this still necessary?

cmd.Parameters.Add("@subcategory", SqlDbType.VarChar).Value =
subcategory;

TIA,

JON


PS First posted to aspmessageboard
http://www.aspmessageboard.com/forum/aspplus.asp?M=671672&T=671672&F=36&P=1 - no answers yet

 

[Marina]

No, it isn't.

Hi,

A quick one:

If you are forming a dynamic sql statement using parameters from a web form,
you would normally double up any single inverted commas inputted by the user
to stop sql injection. But if you are using command parameters to build the
sql statement (as below), is this still necessary?

cmd.Parameters.Add("@subcategory", SqlDbType.VarChar).Value =
subcategory;

TIA,

JON


PS First posted to aspmessageboard

http://www.aspmessageboard.com/forum/aspplus.asp?M=671672&T=671672&F=36&P=1 - no answers yet

 

[Chris]

IIRC, command parameters handle single quotes automatically, unlike full SQL
statements, which require doubling up single quotes.

Hi,

A quick one:

If you are forming a dynamic sql statement using parameters from a web form,
you would normally double up any single inverted commas inputted by the user
to stop sql injection. But if you are using command parameters to build the
sql statement (as below), is this still necessary?

cmd.Parameters.Add("@subcategory", SqlDbType.VarChar).Value =
subcategory;

TIA,

JON


PS First posted to aspmessageboard

http://www.aspmessageboard.com/forum/aspplus.asp?M=671672&T=671672&F=36&P=1 - no answers yet

 

[Jon Maz]

Thanks all!