While I can certainly see the advantages of using parameters for SQL queries, especially

Question

0

Asked: May 27, 20262026-05-27T16:25:12+00:00 2026-05-27T16:25:12+00:00

While I can certainly see the advantages of using parameters for SQL queries, especially

0

While I can certainly see the advantages of using parameters for SQL queries, especially when dealing with datetimes and things like that, I’m still unsure about parameters as the only way to prevent SQL injection.
The fact is, I inherited an application and it has things like

"SELECT Field FROM Table WHERE Filter='"+userinput.Replace("'", "''")+"'"

all over the place. Now while those doesn’t look very pleasant to my eyes, and I wouldn’t mind rewriting them, my question is, do I need to? Try as I might, I can’t see a way to perform SQL injection with this.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-27T16:25:13+00:00

No, it is not enough. It will do in a pinch, but it is a very weak alternative, and using parameterized queries or parameterized stored procedures is better, if your platform and/or RDBMS support either feature.

From

OWASP’s SQL Injection Prevention Cheat Sheet

…this methodology is frail compared to using parameterized queries.
This technique should only be used, with caution, to retrofit legacy
code in a cost effective way.

There are more below

SQL injection — but why isn’t escape quotes safe anymore?

Sql Injection Myths and Fallacies

SQL Injection after removing all single-quotes and dash-characters

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

While I can certainly see the advantages of using parameters for SQL queries, especially

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply