SQL injection: isn't replace("'", "''") good enough?

sql-server tsql

Solution 1:

No, it is not enough. It will do in a pinch, but it is a very weak alternative, and using parameterized queries or parameterized stored procedures is better, if your platform and/or RDBMS support either feature.

From

OWASP's SQL Injection Prevention Cheat Sheet

...this methodology is frail compared to using parameterized queries. This technique should only be used, with caution, to retrofit legacy code in a cost effective way.

There are more below

SQL injection — but why isn't escape quotes safe anymore?

Sql Injection Myths and Fallacies

SQL Injection after removing all single-quotes and dash-characters

Solution 2:

Yes, .Replace("'", "''") stops SQL injection to the same degree that parameterization does.

There is still double or reflective injection. For example, you can store

'; delete from orders'

in a comment field. If part of the database uses the comment field in dynamic SQL, it might run the delete instead.

Related

generic way to print out variable name in c++
.htaccess 301 redirect for all https to http EXCEPT ONE PAGE
UILabel visible part of text
Three JS Keep Label Size On Zoom
Convert video from .mp4 to .ogg
Searching for words in Outlook 2010
How to find downloaded files location
Editing all instances of a string in Notepad++
How make a compressed tar when there are too many filenames for the shell to expand on a single line?
mount.nfs: rpc.statd is not running but is required for remote locking
Homebrew does not completely uninstall nginx
How to combine WebM and Opus to generate MP4?