How Do I: Defend Against Truncation-Based SQL Injection Attacks?

Escaping single quote characters is sometimes used as mitigation for SQL injection vulnerabilities. On the other hand, when data assigned to a SQL Server character variable exceeds the defined length for that variable, the extra characters get truncated. This podcast demonstrates how this property of truncation may be used by an attacker to circumvent the above mentioned mitigation, resulting in a SQL injection attack. Various options of fixing SQL injection issues are also discussed.