05-21-2009, 10:14 AM
Evan Wrote:btw speaking of sql injection, never ever ever build SQL statements directly from user form input. Always used parameterized queries. (and always check for isnullorempty() unless you like NPEs!) ado.net makes it easy so no real excuse not to.Or filter the user input before you use it... which is mainly what a parameterized query is doing for you.
instead of rewriting all of his DB queries he could just filter all of his post/get data before using it.