Home » Allow Unrestricted Use of Quotes and Apostrophes in User Input

Allow Unrestricted Use of Quotes and Apostrophes in User Input

There is no need to restrict your users’ ability to use apostrophes or quote characters in input. This simple filtering technique allows unrestricted use of quotes and apostrophes, and can help guard against many SQL injection attacks to boot.

SQL will accept either the quote (“) character or the apostrophe (‘) as a string delimiter, although the latter is preferred. If the string includes an embedded delimiter character, the string is terminated early, and what follows is treated as a new SQL statement, which is where the injection vulnerability comes into play. However, paired delimiter characters are treated as a single embedded non-delimiter character, which suggests the simple solution: use an apostrophe as the delimiter, and filter the string and replace every apostrophe with two apostrophes.

I use a standard function when generating dynamic SQL statments which takes a string as input and returns a bounded and filtered statement component. What follows is VBScript, but can easily be converted to any language. Note that the function returns the string ‘Null’ when the sIn argument value is an empty string.”

Public Function SQLBoundString(ByVal sIn)    If sIn = "" Then        SQLBoundString = 'Null'    Else        SQLBoundString = "'" & Replace(sIn, "'", "''") & "'"    End IfEnd Function

About Our Editorial Process

At DevX, we’re dedicated to tech entrepreneurship. Our team closely follows industry shifts, new products, AI breakthroughs, technology trends, and funding announcements. Articles undergo thorough editing to ensure accuracy and clarity, reflecting DevX’s style and supporting entrepreneurs in the tech sphere.

See our full editorial policy.