SQL Server SQL Injection Articles

Using QUOTENAME() to Protect Against SQLInjection

QUOTENAME is function which has been available since SQL Server 2005. This function returns a Unicode string with the delimiters added to make the input string a valid SQL Server delimited identifier, such as in the below example The output for this query is as below:           String Default_QuoteName QuoteName_WithQuote Long_String SQL Server [SQL Server] […]

Protecting Against SQL Injection

Despite being so well understood, SQL Injection remains one of the most common vulnerabilities in web applications. What is SQL Injection Any SQL which is dynamically created has the potential for having malicious SQL injected into it. For example, the below code receives a querystring and adds it to a SQL select string which will […]