>A little more info on Injection Attacks. I've heard about them for a while. And was in the bookstore last night. I was looking at an ADO.Net book that discussed this issue. So I understand a little better.
>
>An injection attack occurs when you have a textbox on the screen where you prompt for a value. And then you dynamically build you SQL so your WHERE looks like "Where columnvalue = texboxvalue"
>
>An injection attack could occur if someone inputs a SQL statement in the correct format in the textbox. This will cause your SQL statement to be treated like a comment and not run, and the hackers SQL statement to execute instead.
>
>A malicious update statement could corrupt your entire database at that point.
Yes, I understand now since Rod generously provided a good approach.
However, my approach was to always use something like:
loDataAdapter.cSQL="SELECT MyField FROM MyTable WHERE MyColumn="""+lcMyValue+""""
and not
loDataAdapter.cSQL="SELECT MyField FROM MyTable WHERE MyColumn=lcMyValue"
It is unclear to me if the first approach I always used was a candidate to SQL injection.