On 8/5/07, Stephen Sutherland <[EMAIL PROTECTED]> wrote: > I am trying to treat a string before passing it through my SQL statement > into the database. > > I know that a single apostrophe will break the SQL statement. > So I have to replace them all to double apostrophes.
> But are there any other characters that will break the SQL statement ? > I actually have a situation where the user creates an XML file and the > contents of the XML file gets dumped in the database. So there is opportunity > for a hacker to create an XML file which has some SQL statements in it like ' > DELETE TABLE X ; > > So any thoughts or existing code would be great. Don't attempt to treat strings at all. Instead, always use the parametric binding API for whatever database you're using. You prepare statements like "INSERT INTO table VALUES (?)", and then pass in the input string as a separate argument for the database engine to put in place of the "?". This avoids the entire problem of escaping special characters, and you don't need to treat your input data specially. For sqlite, use sqlite3_prepare_v2() and sqlite3_bind_text(). http://sqlite.org/capi3.html should get you up to speed on the process, and browse through the other documents on the site for more information. ----------------------------------------------------------------------------- To unsubscribe, send email to [EMAIL PROTECTED] -----------------------------------------------------------------------------
