On Tue, 22 Mar 2005 05:42:54 -0500, Ted Husted <[EMAIL PROTECTED]> wrote:
> > > Doing so exposed to sql inject attack.
> >
> > But I'm replacing all of single quotes with double quotes as you can
> > see. I'm using iBATIS with application server and thought that it is
> > enough to replace one single quote with double single quote. Isn't it?
> ...
> Do we have any unit tests which show how iBATIS.NET reacts when SQL
> injection is attempted?
What tests do you mean? Test that shows how performance increases in
case of replacing parameters with its values or test how sql injection
is avoided with Replace("\'", "\'\'") operator? I could try write some
for sql injection. Should I?
> If there is a debate over a feature, the best thing might be to focus
> on tests that demonstrate the feature.
There is one more problem - performance problem with sp_executesql is
specific only for MS SQL server - so replacing parameters with values
is actual only for MS SQL connections. For all others it will be
unnecessary AFAIK.
Good luck.
