Menu
When you execute a SQL query, you have to clean your strings or users can execute malicious SQL on your website.
I usually just have a function escape_string(blah), which:
\) with double escapes (\\).') with an escaped single quote (\'). Is this adequate? Is there a hole in my code? Is there a library which can do this quickly and reliably for me?
I'd like to see graceful solutions in Perl, Java, and PHP.
270
Use braces to escape a string of characters or symbols. Everything within a set of braces in considered part of the escape sequence. When you use braces to escape a single character, the escaped character becomes a separate token in the query. Use the backslash character to escape a single character or symbol.
Escape sequences are used within an SQL statement to tell the driver that the escaped part of the SQL string should be handled differently. When the JDBC driver processes the escaped part of an SQL string, it translates that part of the string into SQL code that SQL Server understands.
Escaping data is the process of securing output by stripping any unwanted data such as script tags, incorrectly formed HTML and other unwanted data. It therefore prevents of this data being seen or executed as code.
The escape character (\) needs to be escaped as (\\). The single quote (') needs to be escaped as (\') or ('') in single-quote quoted strings. The double quote (") needs to be escaped as (\") or ("") in double-quote quoted strings. The wild card character for a single character (_) needs to be escaped as (\_).
For maximum security, performance, and correctness use prepared statements. Here's how to do this with lots of examples in different languages, including PHP:
https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
113
I would also escape comments (double dash)
--
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
