>>Hi Mike,
>>
>>I understand that. The question is - how to prevent the incorrect input using parameterized queries. We're installing URLScan, but how would you do this in code? Say, in Stored procedure do you need to analyze each parameter?
>>
>Do not use Dynamic SQL and there is no need to check what parameters are passed. Even if you get this:
There is nothing wrong with Dynamic SQL as long as the values are parameterized.
>
>@SomeVariable = 'SomeValue; SELECT * FROM PassWord'
>
>
>Your final SELECT will be:
>
>SELECT * FROM SomeTable WHERE SomeField = @SomeVariable
>
>
>and that is totally different that built select and exec() it, just because SomeField will be compared to string 'SomeValue; SELECT * FROM PassWord' and the command will not be parsed to two different commands.
>If you REALLY have to use Dynamic SQL use sp_executesql SP and pass all again as parameters.