http://blogs.msdn.com/b/glengordon/archive/2008/04/15/some-sql-injection-attack-misperceptions-and-reality.aspxMy colleague Brian just posted about an error page he encountered on a public ecommerce site, and the clues it gave him about how the coding of that site was wrong in a lot of ways.&#160; He gave some good tips on fighting SQL Injection attacks, but Ien-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.msdn.com/b/glengordon/archive/2008/04/15/some-sql-injection-attack-misperceptions-and-reality.aspx#8407936Fri, 18 Apr 2008 18:03:17 GMT91d46819-8472-40ad-a661-2c78acb4018c:8407936Andy White<p>&gt;I'll just write code that replaces all the single quotes in the user's input with two single quotes in a row, and I'll be fine</p> <p>Just to be clear, I always use input validation with parameterized queries and stored procs and always try to avoid EXEC statements. </p> <p>But I have always been curious, how can the scheme of replacing all single quotes with two single quotes be defeated? Do you have an example?</p> <p>Thanks.</p><div style="clear:both;"></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=8407936" width="1" height="1">http://blogs.msdn.com/b/glengordon/archive/2008/04/15/some-sql-injection-attack-misperceptions-and-reality.aspx#8398195Tue, 15 Apr 2008 23:47:04 GMT91d46819-8472-40ad-a661-2c78acb4018c:8398195Microsoft news and tips &raquo; Some SQL injection attack misperceptions - and reality<p>PingBack from <a rel="nofollow" target="_new" href="http://microsoftnews.askpcdoc.com/?p=2650">http://microsoftnews.askpcdoc.com/?p=2650</a></p> <img src="http://blogs.msdn.com/aggbug.aspx?PostID=8398195" width="1" height="1">