I've got this code which I with my little knowledge about SQL injection and ASP.Net believe that this is protected against any kind of SQL injection attack.
Dim commandText As String = "DECLARE @investor varchar(10), @sql varchar(1000) "
commandText += "SELECT @investor = '69836', "
commandText += "@sql = 'SELECT * FROM OPENQUERY(db, ''SELECT * FROM table1 "
commandText += "WHERE investor = ' + @investor + ' '')' EXEC(@sql)"
Dim query As SqlCommand = New SqlCommand(commandText, conn)
I've read up loads of articles about SQL injection attacks and not many of them say much about using `openquery`. I have to use a linked server in order to get the data back from the database.
I just would like to know if i've done this correct to be sql injection free or if there is something else I need to do?