Path: csiph.com!usenet.pasdenom.info!gegeweb.org!eternal-september.org!feeder.eternal-september.org!mx04.eternal-september.org!.POSTED!not-for-mail From: Erland Sommarskog Newsgroups: comp.databases.ms-sqlserver Subject: Re: Escape Characters in Strings Date: Wed, 22 Aug 2012 23:35:15 +0200 Organization: Erland Sommarskog Lines: 26 Message-ID: References: <2s0a38toaa3n1th1e42kmat8n0ei6v9bah@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Injection-Info: mx04.eternal-september.org; posting-host="9c1143bfab35549403b85d70ea1a57d8"; logging-data="23140"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+ghdxxFI6uT6EtI0GL/0pn" User-Agent: Xnews/2006.08.24 Mime-proxy/2.1.c.0 (Win32) Cancel-Lock: sha1:UsK8G+Q+9ne9XbDRkLjLxR6bWzU= Xref: csiph.com comp.databases.ms-sqlserver:1229 Gene Wirchenko (genew@ocis.net) writes: > I will be building only statements that execute stored > procedures. e.g. > execute ExampleProc 'abc',1,2,3 > or > execute ExampleProc theString='abc',foo=1,bar=2,baz=3 > Does that count? Yes, that counts, and you should not be doing it. Assuming that you are using C#, it should look like this: cmd.CommandType = CommandType.StoredProcedure; cmd.CommandText = "dbo.ExampleProc"; // Always include schema! cmd.Parameters.Add("@theString", SqlDBTypes.VarChar, 20); cmd.Parameters["@theString"].Value = "abc"; This results in an RPC call which is more efficient. And there is no risk for SQL Injection. -- Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se Links for SQL Server Books Online: SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx