Is it enough to forbid single quotes in input to avoid SQL injection?

Question

I inherited an old piece of software and the code checks user input for containing a single quote character ' before construction an SQL statement using the string concatenation.

Is this sufficient to avoid SQL injection (besides being bad style) or do I have to take immediate action and change it to parameter usage?

Answer 1

Nope, it is not enough.

Yes, you have to take immediate action and change it to parameter usage where applicable.

Just a few guidelines for you to get it straight:

1. Never take care of any injections. But make sure you have formatted your SQL literals properly. A properly formatted literal is error-proof and - just as a side effect - also invulnerable.
2. Discover the fact that SQL query consists of literals of several different types. Each require distinct formatting, incompatible and useless for all others.
3. Make sure such a formatting applied unconditionally. A prepared statement is the only way to be sure of.