[Pdx-pm] Escaping strings for SQL insertion
Steve Bonds
9nn24e402 at sneakemail.com
Tue Feb 15 20:48:21 PST 2005
On Tue, 15 Feb 2005 17:45:44 -0800, Jeff Zucker wrote:
> SQL should look like this: WHERE col_name = 'string_value', in other
> words, there should be single quotes around the string _value. If that
> value contains a single quote, everything gets confused because you end
> up with WHERE col_name ='O'Reilly' and there's no way to know where the
> value ends.
The SQL Inserters have already thought of this and often use the SQL
comment character "--" to end the SQL statement before that closing
quote is reached.
This is a really nice, concise discussion of SQL insertion:
http://www.unixwiz.net/techtips/sql-injection.html
The section on "mitigations" is especially good. He heartily
recommends using the PREPARE statement in addition to the usual input
sanitizing.
-- Steve
More information about the Pdx-pm-list
mailing list