Proving SQL Injection

Question

I\'m trying to simply prove here that this simple function isn\'t good enough to prevent every sql injection in the world:

Function CleanForSQL(ByVal input A         


        

Answer 1

You're not doing anything wrong. This is how SQL Server parses strings. The first quote opens the string, then you've followed that immediately with an escaped quote followed by Chr(8).

As an exercise, what happens if you run this in SQL Server: SELECT '''Hello'? Exactly the same parsing rules are being applied in this case.