Reply to Re: Apostrophe - when used it mucks with my odbc

Your name:

Reply:


Posted by Michael Fesser on 05/13/07 10:08

..oO(Johnny BeGood)

>When a user enters an Apostrophe into a text area field on a form, i.e.
>didn't, it mucks with odbc as follows
>
>[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in
>query expression ''didn't',

This not only breaks the query, but allows an attacker to inject
arbitrary malicious SQL commands. Not good.

>Whats the best way to handle this, other than not entering the apostrophe.

You _always_ have to make sure that the data entered into a DB can't do
any harm. To achieve that you have to

1) escape all chars that have a special meaning in SQL
or
2) use prepared statements

The second is the preferred, but whether it's available or not depends
on the used DB backend and the interface.

Micha

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация