I'm working on a web application which is vulnerable to SQL injection in its search box. It uses ASP.Net (C#) and Microsoft SQL Server.
In the search box it queries like:
Select Column1 from TBL where Column2 = N' Here The Search box Content ';
As you can see the above code is completely vulnerable to SQLi.
What I did to mitigate this was just creating a method to replace all '
with ''
which in SQL Server means it is a single quotation.
So if a user enters something like ' order by --
in the textbox the replace function will replace it with Replace("'","''");
and the SQL Server would never run the attacker's injected SQL.
So I just want to know that am I completely safe against SQLi? Or is there a way to bypass my injection protection?