On 8/23/07, Nikolaj Baer <[EMAIL PROTECTED]> wrote:
> I have always either used parameterized queries or just done a
> $p.replace("'","\\'"). Is there something beyond a ' that I would have
> to worry about escaping inside a quoted string (like a terminating
> character, i have been assuming that all the other characters except
> the ' are escaped at the lower layer)?
>
Clever people can anticipate your straight forward approach and add an
extra backslash into their injection so that the resulting sql escapes
your backslash rather than the quote.
-- Rick
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
