Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


Tip of the Day
Language: SQL
Expertise: Beginner
Sep 13, 2004

Allow Unrestricted Use of Quotes and Apostrophes in User Input

There is no need to restrict your users' ability to use apostrophes or quote characters in input. This simple filtering technique allows unrestricted use of quotes and apostrophes, and can help guard against many SQL injection attacks to boot.

SQL will accept either the quote (") character or the apostrophe (') as a string delimiter, although the latter is preferred. If the string includes an embedded delimiter character, the string is terminated early, and what follows is treated as a new SQL statement, which is where the injection vulnerability comes into play. However, paired delimiter characters are treated as a single embedded non-delimiter character, which suggests the simple solution: use an apostrophe as the delimiter, and filter the string and replace every apostrophe with two apostrophes.

I use a standard function when generating dynamic SQL statments which takes a string as input and returns a bounded and filtered statement component. What follows is VBScript, but can easily be converted to any language. Note that the function returns the string 'Null' when the sIn argument value is an empty string."


Public Function SQLBoundString(ByVal sIn)

    If sIn = "" Then
        SQLBoundString = 'Null'
    Else
        SQLBoundString = "'" & Replace(sIn, "'", "''") & "'"
    End If

End Function
Hercules Gunter
 
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap