8 comments

[ 3.2 ms ] story [ 33.1 ms ] thread
Bad advice. The correct solution to SQL injection is to use parameterized queries - relying on filters will screw you over if you actually need to insert metacharacters.
Yeah, I'm hoping / assuming the OP was submitted as a joke.
Hence the name omega coder, i.e. the last letter of the Greek alphabet, the bottom of the barrel.
Then it seems that Microsoft's MVPs have an obscure sense of humour.
Simply amazing that it's 2009 and people are still trying to escape strings by hand. C#, the language for which this piece was written, has had parameterized queries since 2001.
It's even better to put your queries in stored procs. It makes it easier for your DBA to review your queries.
A certain large Japanese software consultancy I know of outsources to people who learn programming best practices from blogs like this.

Code reviews there are never dull. Its sort of like a horror movie -- "Don't go in there, he's got a regexp to sanitize SQL! NO! NO! Oh, why didn't you listen!"