DekBriteGet
New Member
I have a stored procedure which is going to return search results depending on what the user has typed into a standard search text box. Upon pressing enter in the search box I'm passing the query to search.aspx?q=whatever user entered.search.aspx has a sqldatasource which accepts a querystring paramater and calls a stored procedure which joins a number of tables and contains the following where clauses...\[code\]where (description like '%' + @query + '%' or title like '%' + @query + '%' or calls.call_id like @query or r.firstname = @query or r.lastname = @queryor n.note like '%' + @query + '%')\[/code\]...is this sql injection safe i.e.using paramaters like this?Thanks,