Simply put, SQL Injection prevents malicious SQL statements form being possible to enter.

In the good old days, if you had a textbox accepting a name (or any other value), and there was no checking of what the user entered, it would be possible to comment out the running command (or to make it always run (SELECT * FROM Users WHERE UserName = 'ViagraFalls' OR 1=1 -- spits out all users, while SELECT * FROM Users WHERE UserName = 'a';DROP TABLE Users -- drops the table).

By requiring all parameters to SQL Stored Procedures to be added by using the cmd.Parameters.Add command, the user input is actually translated into a literal text-string, rather than potentially being harmless...

http://entropia-online.blogspot.com/

snap :)

jimi

http://www.originaltalent.com

Ok guys I think I've got it now: If you use the Parameters collection when building the parameters for a stored procedure the database will store all columns as literal text. I checked out my article body and sure enough the <p> tags are around the article I created.

I guess what I was expecting was the tags actually being encoded in the database (Server.HtmlEncode).

Hi,

I have removed the universal key: ,'UniversalKey'

But the error continue to appear.I have setting the FCKeditor as described in the book.But I found that the default toolbar set doesn't contain any UniversalKey entry.So I deleted it only in the Toolbar set which I copied from the TheBeerHouse toolbarset.So is there any thinf else I should do?:(