Frank (A.K.A. a5xo3z1):

The major danger I am aware of from sql injection attacks via data entered by a user and used in a stored procedure is when you dynamically build your queries and then execute them. The best way I know to completely eliminate this type of injection is to use the following code on your character datatypes: SET @LastName = REPLACE (@LastName, '''', '''''')

That code ensures that all characters they enter will remain in the query to be compared against a column and can not execute as its own query.

Other than that I agree that all other forms of validation will be best handled before the input reaches the stored procedures.

Robert W. Marda

SQL Programmer

bigdough.com

The world’s leading capital markets contact database and software platform.