Someone is trying to use SQL injection against the website I work on. I use read-only tables (and Stored Procdedures called with parameters) to mitigate most of this. However, I do use a DATASET Select statement in parts of the code.
For example, I have a dataset (small one) that I keep cached (since it's accessed on EVERY page load) and that I use to index the site. As such, I pull queryString items and select from the dataset. Like this:
objMatches = objDS.Tables(0).Select("sec='" & strSection & "' AND sub='" & strSubSection & "'")
Where strSection and strSubSection are items pulled from the QueryString.
I've answered part of my question myself: there's no way that SQL-injection could do anything to the database since a DataSet is a DISCONNECTED database object! I guess that's another reason to use them, if you can.
The other part of my question: what can I do to eliminate the error that is being thrown? (The error is: "The expression contains undefined function call char().") --The source of the error comes from a SQL-injection attempt on the querystring that makes strSection = "sup AND char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [Sysobjects] WHERE 1=1).....more sql".
Any ideas?
TIA