While I can certainly see the advantages of using parameters for SQL queries, especially when dealing with datetimes and things like that, I'm still unsure about parameters as the only way to prevent SQL injection.
The fact is, I inherited an application and it has things like
"SELECT Field FROM Table WHERE Filter='"+userinput.Replace("'", "''")+"'"
all over the place. Now while those doesn't look very pleasant to my eyes, and I wouldn't mind rewriting them, my question is, do I need to? Try as I might, I can't see a way to perform SQL injection with this.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…