Re: Preventing SQL injection attacks: are -T and placeholders not enough?

It's not to prevent injection attacks per se, but in an app I'm working on now, everything gets passed through a s/'//g to prevent any accidental SQL interpretation. That should take care of any single quotes, and coupled with using place holders, I can't think of how anything would get through.

Then again, it's getting late and my imagination is a little tired :)

Update: Maybe I should have clarified that it's a pretty specific environment where single quote characters shouldn't exist, per client instructions.

Comment on Re: Preventing SQL injection attacks: are -T and placeholders not enough? Download Code

Replies are listed 'Best First'.
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough? by dsheroh (Monsignor) on Jan 09, 2008 at 07:14 UTC
If youre going to strip out apostrophes, then youd probably better also make sure that its set up so the users know they cant (or at least theyre not allowed to) use any contractions. While youre at it, dont forget to make it clear that any possessives in the users input will also be damaged.	[reply]
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough? by perrin (Chancellor) on Jan 09, 2008 at 05:29 UTC
Don't do that. Use placeholders. They handle this for you.	[reply]
Re^2: Preventing SQL injection attacks: are -T and placeholders not enough? by parv (Parson) on Jan 09, 2008 at 04:47 UTC
Hopefully your inputs are not addresses, names, plain old text and such.	[reply]