07-23-2023, 07:48 AM
I did not see any other answsers address this side of the 'why doing it yourself is bad', but consider a [SQL Truncation attack][1].
There is also the <code>[QUOTENAME][2]</code> T-SQL function that can be helpful if you can't convince them to use params. It catches a lot (all?) of the escaped qoute concerns.
[1]:
There is also the <code>[QUOTENAME][2]</code> T-SQL function that can be helpful if you can't convince them to use params. It catches a lot (all?) of the escaped qoute concerns.
[1]:
[To see links please register here]
[2]:[To see links please register here]