Page 1 of 1

preventing sql injection attacks

Posted: Tue Nov 11, 2008 2:27 am
by krraleigh
I have a function that adds ' ticks to the ends of my strings in the database. I was told to do this to prevent sql injection attacks.

I am using UPDATE to set the fields in my database and after hours of testing I find that UPDATE won't
allow me to insert ' ticks at the beginning and end of my values.

I can use ' ticks when I insert without problem just not when I UPDATE.

Has anyone ever heard of anything like this?
Can you show me where I went wrong?

I echoed the value just before it is placed in the UPDATE string and it clearly shows the ' ticks. I ran another test by placing the letter "z" in front of the tick to prove that my function was working properly and it worked great.

Very confused and could use some help.
Kevin :?:

Re: preventing sql injection attacks

Posted: Tue Nov 11, 2008 2:31 am
by novice4eva
why not just use bind variables!!

Re: preventing sql injection attacks

Posted: Tue Nov 11, 2008 2:51 am
by Rovas
Have you tried escaping them (\')?

Re: preventing sql injection attacks

Posted: Tue Nov 11, 2008 3:30 am
by aceconcepts