Posted by Michael Fesser on 05/13/07 10:08

..oO(Johnny BeGood)

>When a user enters an Apostrophe into a text area field on a form, i.e.
>didn't, it mucks with odbc as follows
>
>[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
>query expression ''didn't',

This not only breaks the query, but allows an attacker to inject
arbitrary malicious SQL commands. Not good.

>Whats the best way to handle this, other than not entering the apostrophe.

You _always_ have to make sure that the data entered into a DB can't do
any harm. To achieve that you have to

1) escape all chars that have a special meaning in SQL
or
2) use prepared statements

The second is the preferred, but whether it's available or not depends
on the used DB backend and the interface.

Micha

• Next in forum: Re: array and value type
• Prev in forum: Apostrophe - when used it mucks with my odbc
• Thread view: Re: Apostrophe - when used it mucks with my odbc

[Reply to this message]