mailing list archives
Re: SQL Injection
From: windo () windowlicker dyn ee
Date: Tue, 1 Jun 2004 08:43:32 +0300
I solved the problem checking whether the logon or password variables
contained the "'" char... is it safe enough? i checked around the net and
found a recent paper from Imperva but it does not talk about single chars
checking... i tried to ude different encodings but that string in UTF-8 is
just the same... any hint?
with php, you would use addslashes() on any user input (or with a
reasonably recent php, magic_quotes would do it for you). The industry
standard way to handle this is to escape single quotes so that they
wouldn't get interpeted as single quotes - the string terminating
symbols - by the SQL server, but as single quotes - the characters. Im
pretty sure your preffered language has a function for that, but it
would propably be trivial to just substitute all ' with \'.