Securing the Query
Even strong filters don't always catch malicious SQL characters. This means additional security must be applied to the database statement itself. The single and double quote characters tend to comprise the majority of SQL injection payloads (as well as many cross-site scripting attacks). These two characters should always be treated with suspicion. In terms of blocking SQL injection, it's better to block quotes rather than trying to escape them. Programming languages and some SQL dialects provide mechanisms for escaping quotes such that they can be used within an SQL expression rather than delimiting values in the statement. For example, a single quote might be doubled so that ' becomes “ (two single quotes) to balance the ...
Get Seven Deadliest Web Application Attacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
