Hi Stev,
Why not just use prepared statements?
Regards,
Eugene Wee
Stephen Sutherland wrote:
Hi ;
I am trying to treat a string before passing it through my SQL statement into the database.
I know that a single apostrophe will break the SQL statement.
So I have to replace them all to double apostrophes.
Question #1:
What may I ask is the c or C++ code to accomplish that ?
Initially I was using this simple scheme.
string str2("stephen's test . Bob's test");
if ( str2.find("'"!= string::npos)
{
str2.replace(str2.find('"), 1, "''");
}
I know this doens't test for multiple single apostrophes.
But are there any other characters that will break the SQL statement ?
Has anyone created a nice algorithm?
I actually have a situation where the user creates an XML file and the contents
of the XML file gets dumped in the database. So there is opportunity for a
hacker to create an XML file which has some SQL statements in it like ' DELETE
TABLE X ;
So any thoughts or existing code would be great.
Thanks
Stev
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
