I read here (http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx
) that the TableAdapter/DataSet designer built-into VS 2005 uses this mechanism automatically, as do the ASP.NET 2.0 data source controls.
How this mechanism works? I can't understand how parametrizing resolves the problem.
For example, if the querystring is waiting a string and the user inserts:
DATABASE pubs --
It's still being a string, right? If the user inserts something like this, an exception is raised or nothing happens (just keep the DB safe)?
Thanks in advance!