I have a quick question about SQL Injections... I want to know if replacing single quotes with extra single quotes is enough to prevent SQL Injections from QueryString-based database calls.
For example: http://www.mywebsite.com/viewPage.asp?id=1
Assume the following on the backend:
dim id, rs
id = request("id")
id = replace(id, "'", "''")
set rs = getResults(id)
Is this secure enough to prevent malicious attacks?