Hi ; I am trying to treat a string before passing it through my SQL statement into the database. I know that a single apostrophe will break the SQL statement. So I have to replace them all to double apostrophes. Question #1: What may I ask is the c or C++ code to accomplish that ? Initially I was using this simple scheme. string str2("stephen's test . Bob's test"); if ( str2.find("'"!= string::npos) { str2.replace(str2.find('"), 1, "''"); } I know this doens't test for multiple single apostrophes. But are there any other characters that will break the SQL statement ? Has anyone created a nice algorithm? I actually have a situation where the user creates an XML file and the contents of the XML file gets dumped in the database. So there is opportunity for a hacker to create an XML file which has some SQL statements in it like ' DELETE TABLE X ; So any thoughts or existing code would be great. Thanks Stev
--------------------------------- Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search.