Firstly, I have absolutely no knowledge on SQL, so I probably need a beginners guide to fixing this.
We have a form on a website that we have inherited and we have been advised that there is a security issue. The comment was made that the following error happened when someone enters an inverted comma ' in a comment box:
“Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm interested in your product'
We have been told that his is because our website developer is not ‘escaping’ the characters
that are entered, which leaves the side wide open for security breaches (see http://en.wikipedia.org/wiki/SQL_injection
This came from someone who used the form and now wants to sell us a fix. His less helpful remark was
"If I wanted, I could hack your database. If you’d like help putting it right, my company will fix the code and maintain the site properly for £££ a month "
I don't react to kindly to extortion so I did not take the offer. But I like to fix this. I just don't know how.
Any help would be appreciated.