This is really funny!
I attended a presentation the other day. The presenter said that in order to avoid SQL Injection for string parameters, it is possible to double quotes.
For example:
string fix(string s)
{
return s.replace(”‘”, “””); // ‘ -> ‘ ‘
}
Let’s assume that’s fine.
Now he showed how to use it:
name = GetUserName();
pass = GetUserPass();
sSql = “SELECT count(*) FROM t_users WHERE name=’” + name + “‘ and pass = ‘” + pass “‘”;
sSql = fix(sSql);
execute(sSql);
And now the question for you – does fix work well? does the way of using “fix” is fine or is it hackable? how?
C’ya next time,
Maty
