Tip 3Beware of Quotes
Quotes can be difficult to handle because they can fool SQL strings. As I showed earlier, an attack can use quotes to create different SQL query logic and allow anyone to logon without a valid username and password. Another way to help mitigate quoting attacks is to escape the quote characters first. The following regular expression will double up all single and double quotes. This is perfectly valid SQL syntax, which can help make many attacks harder to execute:
strPwd = strPwd.replace(/([\'\"])/g,"$1$1");
You could use this in place of the regular expression just added. Personally, I use bothdefense in depth!