Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?

Question

I realize that parameterized SQL queries is the optimal way to sanitize user input when building queries that contain user input, but I\'m wondering what is wrong with takin

Answer 1

It's a bad idea anyway as you seem to know.

What about something like escaping the quote in string like this: \'

Your replace would result in: \''

If the backslash escapes the first quote, then the second quote has ended the string.