hi,
I want to make my web-app secure against evil sql-statments!
my sql-strings look like:
updateString = "update table_1 set col_1 = '" + postParam_1 + "'";
selectString = "select col_1 from table_1 where col_1 like '" + postParam + "'";
generalSelectString = postParam;
what characters do I have to quote, so that the client can't submit evil sql-statments?
ok: 2 characters i must quote: "'" -> "\'" and "\" -> "\\"
what characters do I need to quote else???
perhaps ";" -> "\;"
thanks
michi