babar_ch - Wednesday, January 24, 2018 10:46 PM
Blacklisting doesn't work except against the simplest forms of SQL injection. It's a false sense of security that anyone competent (or any well-written injection tool) will get around.
Parameterise your queries and DO NOT concatenate input into strings and execute them
I don't think that 2005 had table-type parameters (any why are you using something so old and out of support), so you'll need to pass a comma-delimited list and use a string splitting function.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability