Re: Sql injection attacks

In article <6.0.0.22.0.20040729123957.02ac5b70@pop.atz.nl>,
"B. van Ouwerkerk" <bvo@atz.nl> writes:

> I've been reading this discussion and I asked myself whether you guys
> remove/replace unwanted chars from strings you get from the web or
> not..

The problem is not limited to strings you get from the web.  Those
strings can come from _any_ source you don't control fully.  And you
don't remove unwanted chars - a search for "O'Neill" is prefectly
reasonable and not more dangerous than a search for "Anderson" as long
as you escape the quotation mark properly.

> If you do remove them AFAIK it doesn't only prevent SQL injection but also XSS.

You can prevent XSS in the same manner: carefully escape everything
that looks dangerous.  You just use different escaping rules because
you have other dangerous characters (especially '<').