SQL Injection

I want to use dhtmlxConnector to replace a lot of existing database code to connect our web app to a SQLServer backend through c#.

It seems the only defence against SQL Injection in the .net dhtmlxConnector code is this string escaping…

Convert.ToString(Value).Replace("'", "''")

Our security guys really don’t like simple escaping and sort of insist on parameterized queries as a minimum. They say that this code could be circumvented with special unicode characters.

I really want to use the connector. Please tell me what to say to them :smiley:

connectors does not allow to use parameterized queries.
I know that database engines can convert some unicode characters to others, and that the parameterized query is a better practice,
but since we are talking about MS SqlServer, and not about database protection in general, i think ‘double quoting’ is enough, at least i haven’t seen any working example how it could be hacked in t-sql