Steve Jones - Editor (3/22/2008)
Any application that allows the user to type in data is vulnerable. Only if the application allowed users to click buttons or make pre-set selections would this not be a problem.
I would not go quite this far, Steve. Rather I would say that any application that allows users to type in text that is eventually used in the construction of strings that are executed as SQL is vulnerable.
The difference being that applications that do allow users to enter data, but only use that data as parameters (via ADO.net parameter objects) to stored procedures that only use them as variables to SQL statements (i.e., never dynamic SQL) should not be vulnerable to SQL injection attacks. Of course not many development environments are that disciplined.
, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc. "Performance is our middle name."