How can I avoid SQL injection attacks?

Question

Yesterday I was speaking with a developer, and he mentioned something about restricting the insertions on database field, like, strings such as -- (minus minus)

Answer 1

SQL injection is a high security risk for most websites that allow users to squirt parameters into a statement that gets executed on a database.

A simple example would be:

Input field "Name: _________

"SELECT * FROM tblCustomer WHERE Name = '" + nameInputField + "'"

So if I type in "Bob" we have

"SELECT * FROM tblCustomer WHERE Name = 'Bob'"

But if I type in "'; DROP TABLE tblCustomer", we end up with the rather more sinister

"SELECT * FROM tblCustomer WHERE Name = ''; DROP TABLE tblCustomer"

There are lots of ways to avoid these problems, and many are built into whatever language you are using - so rather than think of all the dodgy possibilities ";", "--", "/*" etc, try and use something that already exists.

Shout out what language you're using and I'm sure we can tell you how to avoid these attacks.