Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Validating User Input
Collapse the table of content
Expand the table of content

Validating User Input


When you construct an application that accesses data, you should assume all user input to be malicious until proven otherwise. Failure to do this can leave your application vulnerable to attack. One type of attack that can occur is called SQL injection, where malicious code is added to strings that are later passed to an instance of SQL Server to be parsed and run. To avoid this type of attack, you should use stored procedures with parameters where possible, and always validate user input.

Validating user input in client code is important so that you do not waste round trips to the server. It is equally important to validate parameters to stored procedures on the server to catch input that is not valid and that bypasses client-side validation.

For more information about SQL injection and how to avoid it, see "SQL Injection" in SQL Server Books Online. For more information about validating stored procedure parameters, see "Stored Procedures (Database Engine)" and subordinate topics in SQL Server Books Online.

© 2015 Microsoft