Escape all quotes. Parse the strings for quotes before putting them into your sql.

And _never_ trust any user to provide the input you exepect!

Always prepare statements and bind escaped values to columns. Never let the user provide parts of the statements him/her self. Or better: Never let the user do ANYTHING to ANY table.

Provide procedures for every action a user can do on a table, ie. for update/insert/delete/select.

My ideal view of a database design is user interface procedures which work on logical views of the physical tables. That way you can change the physical design of the database (perhaps for performance reasons) without changing any user interfaces at all. It separates the physical and logical table structure.



/brother t0mas