[Pdx-pm] Escaping strings for SQL insertion

Steve Bonds 9nn24e402 at sneakemail.com
Tue Feb 15 20:48:21 PST 2005


On Tue, 15 Feb 2005 17:45:44 -0800, Jeff Zucker wrote:

> SQL should look like this:  WHERE col_name = 'string_value', in other
> words, there should be single quotes around the string _value.  If that
> value contains a single quote, everything gets confused because you end
> up with WHERE col_name ='O'Reilly' and there's no way to know where the
> value ends.

The SQL Inserters have already thought of this and often use the SQL
comment character "--" to end the SQL statement before that closing
quote is reached.

This is a really nice, concise discussion of SQL insertion:

http://www.unixwiz.net/techtips/sql-injection.html

The section on "mitigations" is especially good.  He heartily
recommends using the PREPARE statement in addition to the usual input
sanitizing.

  -- Steve


More information about the Pdx-pm-list mailing list