Exam Q - SQL


Preventing SQL Injection
Example 1 - Escaping single quotes.

The function above is one method of sanitising user input and preventing SQL Injection attacks. What does this function do?


Function Escape (input)
input = replace(input, ''""", ''''''")
escape = input 
end function

Open in new window

Who is Participating?
Guy Hengel [angelIII / a3]Connect With a Mentor Billing EngineerCommented:
>c) removes spaces between characters.
what make you choose that? is there any space in the string?
try to find the specification of the REPLACE() function, and see what you have to pass to it to remove spaces.
Guy Hengel [angelIII / a3]Billing EngineerCommented:
>input = replace(input, ''""", ''''''")
that code is incorrect (invalid syntax)

anyhow, what the function is supposed to do is to escape the single quote as 2 single quotes, so it will work correctly without making it fail.

note: the REAL solution is not to use escaping , but using parameters
churchhousetrustAuthor Commented:

answer options...

a) changes to the user input to uppercase characters.
b) doubles up single quotation marks
c) removes spaces between characters.
d) none of the above.

Guy Hengel [angelIII / a3]Billing EngineerCommented:
I see.

now, read my comment anyhow, and you will find the correct answer from the 4 options (hint: it is not d)

let me post the correct quote double quote version of the line that is problematic:

input = replace(input, '''', '''''' )

or, depending on the code language you are using:
input = replace(input, "'", "''")

churchhousetrustAuthor Commented:
c? - i hate programming
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.