Using delphi 2010, i am wondering if there someway to escape the following string to make it safe from sql injection attacks :
my string :
SQLQuery1.SQL.Text := 'SELECT * FROM registered WHERE email="'+
email+'" and login_pass="'+password+'"';
How to rewrite this string, to make it safer than it is when someone type " in my TEditbox as his email or password !
Use parameters, and let the database drivers handle that stuff.
SQLQuery1.SQL.Text := 'SELECT * FROM registered WHERE email= :email'+
' and login_pass = :password';
SQLQuery1.ParamByName('email').AsString := EMail;
SQLQuery1.ParamByName('password').AsString := Password;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With