Product Search question

I have a search box on my website which is used to search the products database.

I will be using the search text in an SQL stored procedure that uses LIKE statements. The search string could realistically contain any character.

How do I prevent SQL injection when any search string is reasonably feasible? .

supergriff:

How do I prevent SQL injection when any search string is reasonably feasible?

I recommend that you read the weblog entry by Microsoft's Bertrand Le Roy,Please, please, please, learn about injection attacks!|||

Great, so if i'm using stored procedures, rather than string concatenation, this inherently prevents SQL injection? My search function is below:

' Select all ProductsPublicFunction GetAllVisibleProductsBySearchString(ByVal SearchStringAsString)As DataTable

Dim connAs SqlConnection =New SqlConnection(_connectionString)Dim cmdStoredProcedureAsNew SqlCommand("dis_GetAllVisibleProductsBySearchString", conn)

cmdStoredProcedure.CommandType = CommandType.StoredProcedure

cmdStoredProcedure.Parameters.Add(

"@.SearchString", SqlDbType.VarChar, 250).Value = SearchStringDim daAs SqlDataAdapter =New SqlDataAdapter(cmdStoredProcedure)Dim dsAs DataSet =New DataSet()Try

conn.Open()

da.Fill(ds,

"Products")

Catch eAs SqlException

' Handle exception.Finally

conn.Close()

EndTryReturn ds.Tables("Products")EndFunction