Hey everyone,
I've been having a bit of a look at the Execute SQL task. I'm trying to execute a stored procedure where I pass in parameters which are free text. What happens if somebody puts a string containing single quotes, followed by a destructive statement - something like this - '','','','',''; DROP DATABASE Foo;
Is there a way to pass actual parameters that doesn't leave you open to SQL injection? We haven't yet installed the latest version, so maybe it's changed, but thought it was worth asking anyway.
Julie
