Indeed, but since I can slip occasionally, I'd like to know if QuotedSQLString will
protect me.

/Matthew Jones/

Matthew


>Indeed, but since I can slip occasionally, I'd like to know if QuotedSQLString will
>protect me.

NO!!!!!

Roy

Why not? Surely it will be quoting the quotes to stop any "breaking out of string"?

/Matthew Jones/

Matthew


All QuotedSQLString does is stick quotes round things, and double up existing quotes. If this is just being used as a parameter in a WHERE clause you'll be pretty safe but it won't take out any potentially dangerous sql code (eg the famous DROP TABLE one) which could in some circumstances be run.

Relying on QuotedSQLString as a safety device is a big no no.

Roy Lambert [Team Elevate]

> which could in some circumstances be run.

In which circumstances? That's the key. How? Only if I've mucked up my SQL and
added a spare quote will it allow a hole, and I'd spot that immediately with the
good data.

/Matthew Jones/

Matthew

>> which could in some circumstances be run.
>
>In which circumstances? That's the key. How? Only if I've mucked up my SQL and
>added a spare quote will it allow a hole, and I'd spot that immediately with the
>good data.

If I'd had the faintest idea I would have told you <vbg>

Roy Lambert [Team Elevate]

http://stackoverflow.com/questions/13171048 is a variation on this, FWIW.

/Matthew Jones/