Hari.Sharma (7/14/2008)
The best way to avoid SQL Injection is use of Stored Procedures.
The only way to 100% for certain avoid SQL injection is to use properly parameterised queries or stored procedures.
And don't make the mistake of using stored procedures that dynamically build up SQL strings inside the proc and then exec it. Procs like that are just as vulnerable to SQL injection as dynamic string on the front end.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability