Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to escape special characters like " in the SQL query in order to avoid Injection

Using delphi 2010, i am wondering if there someway to escape the following string to make it safe from sql injection attacks :

my string :

    SQLQuery1.SQL.Text := 'SELECT * FROM registered WHERE email="'+
      email+'" and login_pass="'+password+'"';

How to rewrite this string, to make it safer than it is when someone type " in my TEditbox as his email or password !

like image 571
Rafik Bari Avatar asked Dec 17 '22 05:12

Rafik Bari


1 Answers

Use parameters, and let the database drivers handle that stuff.

SQLQuery1.SQL.Text := 'SELECT * FROM registered WHERE email= :email'+
  ' and login_pass = :password';
SQLQuery1.ParamByName('email').AsString := EMail;
SQLQuery1.ParamByName('password').AsString := Password;
like image 185
Ken White Avatar answered Dec 28 '22 07:12

Ken White