When you construct an application that accesses data, you should assume all user input to be malicious until proven otherwise. Failure to do this can leave your application vulnerable to attack. One type of attack that can occur is called SQL injection, where malicious code is added to strings that are later passed to an instance of SQL Server to be parsed and run. To avoid this type of attack, you should use stored procedures with parameters where possible, and always validate user input.

Validating user input in client code is important so that you do not waste round trips to the server. It is equally important to validate parameters to stored procedures on the server to catch input that is not valid and that bypasses client-side validation.

For more information about SQL injection and how to avoid it, see "SQL Injection" in SQL Server 2005 Books Online. For more information about validating stored procedure parameters, see "Stored Procedures (Database Engine)" and subordinate topics in SQL Server 2005 Books Online.

See Also