SQL Injection with RS.AddNew 1

[Mugs321]

Hey all,
Is it necessary to run an SQL Injection Prevention routine when adding data to the DB using the RS.AddNew/Update method? I've noticed that even if you write something like:

'; drop table xxx; --

... the text is added, as is, right into the DB.

I just wanna make totally sure that it's safe not to check for injection techniques.

thx.

 

[Sheco]

If you need to prove the security to someone, and assuming you are using MS SQL Server, you could use the SQL Profiler to start a Trace and run your ASP with the injection values.

The trace will allow you to see exactly what goes to the database when your code runs the AddNew.

See the SQL Server Books Online help file for details.

 

[Mugs321]

I ran it through SQL Profiler and the following happened:

-Single quotes were escaped
-All other data was entered as was (ie. -- and ; had not effect)