Bad advice. The correct solution to SQL injection is to use parameterized queries - relying on filters will screw you over if you actually need to insert metacharacters.
Simply amazing that it's 2009 and people are still trying to escape strings by hand. C#, the language for which this piece was written, has had parameterized queries since 2001.
A certain large Japanese software consultancy I know of outsources to people who learn programming best practices from blogs like this.
Code reviews there are never dull. Its sort of like a horror movie -- "Don't go in there, he's got a regexp to sanitize SQL! NO! NO! Oh, why didn't you listen!"
8 comments
[ 3.2 ms ] story [ 33.1 ms ] threadCode reviews there are never dull. Its sort of like a horror movie -- "Don't go in there, he's got a regexp to sanitize SQL! NO! NO! Oh, why didn't you listen!"