SQL injection

I will be going to use MSSQL 2000 to develop the the web application.
But I am told to use inline SQL(ie not Stored Procedure) to develop the web application,
I am concern about SQL injection,
will the preparedStatement help to eliminate the problem of SQL injection?
If not, is there any written classes that can help us to format the user input?
LVL 9
william007Asked:
Who is Participating?
 
Ryan ChongConnect With a Mentor Commented:
>>will the preparedStatement help to eliminate the problem of SQL injection?
YES (as what i know)

For me, i will do another round of validation against the resultset returned to ensure the username and password is exactly matched, before proceed to next stage.
0
 
Ryan ChongCommented:
try read: 5.2 Use of Prepared statements from this article:
http://www.securitydocs.com/library/3587
0
 
TimYatesCommented:
>> YES (as what i know)

ryancys is right...  PreparedStatements == No Injection :-)

No points for me please, ryancys got it first time :-)
0
 
william007Author Commented:
Thanks:-)
0
All Courses

From novice to tech pro — start learning today.