Hi Mike,

I understand that. The question is - how to prevent the incorrect input using parameterized queries. We're installing URLScan, but how would you do this in code? Say, in Stored procedure do you need to analyze each parameter?

Or should you try to do this in the front-end? Or use triggers in tables rejecting some input?

>There are two kinds of injection attacks. One is SQL Injection, which is when the user enters SQL code which you the programmer concatenate and turn into one big SQL command. This is prevented by parameterizing what the user enters. This also requires NO cleaning up of the user's entries.
>
>Instead of
>
>m.lcCmd = "select * from table where field = " + thisform.userentry
>
>do
>
>m.lcUserEntry = thisform.userentry
>m.lcCmd = "select * from table where field = ?m.lcUserEntry"
>
>The other injection is HTML / Javascript being entered into the fields. These you do have to try and filter out.
>