>Michel, Correct me if I am wrong, but usually the string delimiter in SQL is a single quote, thus easy to escape out, changing your sample above to:
>
>
>loDataAdapter.cSQL="SELECT MyField FROM MyTable WHERE MyColumn='"+lcMyValue+"'"
>
>
>And then passing "hello';drop table master.dbo.anyguess;go;select '" you can see how you can inject some potentially dangerous commands in there. Another thing simple thing that I like to test is whether the uuencode/decode is used to prevent another mischief, as in entering
<script>alert('Hello world');</script>
in a filed that is saved in the database and later displayed on a browser. If you encode the result correctly the actual value stored would be
&l t ;script& g t ;alert("Hello World
and so on, other wise everytime that field is resposed.written youy would actually cause the code to execute.
Thanks, I am now understand betting this situation. I also resolved the issue of properly instantiating and calling my data object, with parameters.