We have some classic ASP pages that connect to a MS SQL server database. To prevent SQL injection, we just replace all single quotes with a double single quote. This seems to be the method prescribed here: http://www.4guysfromrolla.com/webtech/061902-1.shtmlThis still feels dangerous to me. Is there any way to escape the single quote with any other character, potentially opening up the SQL Injection?EDIT
We currently have a lot of old code that uses this single quote to double single quote replacement. If that is sufficient to prevent SQL injection, then we won't change anything. My real question is if this method insecure.
We currently have a lot of old code that uses this single quote to double single quote replacement. If that is sufficient to prevent SQL injection, then we won't change anything. My real question is if this method insecure.