sql-injection

To start this off, I am well aware that parameterized queries are the best option, but I am asking what makes the strategy I present below vulnerable. People insist the below solution doesn't work, so I am look for an example of why it wouldn't. If dynamic SQL is built in code using the following escaping before being sent to a SQL Server, what kind of injection can defeat this? string userInput= "N'" + userInput.Replace("'", "''") + "'" A similar question was answered here , but I don't believe any of the answers are applicable here. Escaping the single quote with a "\" isn't possible in SQL

In CodeIgniter, how can I avoid sql injection? Is there any method to set in config file to avoid sql injection? I am using this code for selecting values: $this->db->query("SELECT * FROM tablename WHERE var='$val1'"); and this for inserting values: $this->db->query("INSERT INTO tablename (`var1`,`var2`) VALUES ('$val1','$val2')"); Another method used to insert and select values from the database is CodeIgniter's insert() and get() methods. Is any chance to sql injection while using CodeIgniter's bulit-in functions Rocket Hazmat CodeIgniter's Active Record methods automatically escape queries

This is my code: $email= mysqli_real_escape_string($db_con,$_POST['email']); $psw= mysqli_real_escape_string($db_con,$_POST['psw']); $query = "INSERT INTO `users` (`email`,`psw`) VALUES ('".$email."','".$psw."')"; Could someone tell me if it is secure or if it is vulnerable to the SQL Injection attack or other SQL attacks ? Scott Arciszewski Could someone tell me if it is secure or if it is vulnerable to the SQL Injection attack or other SQL attacks ? As uri2x says, see SQL injection that gets around mysql_real_escape_string() . The best way to prevent SQL injection is to use prepared