I am writing a C program that will collect data from various untrusted
sources, and put it in a postgresql database by PQexec'ing an INSERT
INTO statement.
The statements I generate are usually of the form:
INSERT INTO foo (bar, bas) VALUES ('abc', 'def');
but the 'abc' and 'def' come from an untrusted source, so if they supply
a string like "def'); delete from foo; '" they can make me do this:
INSERT INTO foo (bar, bas) VALUES ('abc', 'def'); delete from foo; '');
What do I need to do to prevent this? My current plan is to prepend a
backslash to every single-quote, backslash, and semicolon in the
untrusted string. Are there any other special characters I should watch
out for? Is it possible to do something evil despite your special
characters being prepended with a backslash?