S said:
How about using the following function in the code to prevent sql
injection.
<snip of a typical filter function>
It might help against a less-determined hacker*, but the only way to
absolutely prevent sql injection is to stop using dynamic sql. Without
dynamic sql, injecting unwanted sql is almost impossible. Secondary sql
injection is still possible, so you do have to be careful with values
retrieved from a database that were entered via user input. No data entered
by users should be trusted.
I really cannot understand this love affair that people have with dynamic
sql, when it is so easy to use parameters. Dynamic sql is hard! Having to
deal with delimiters, quotes in the data, etc. ... it's no wonder that
dynamic sql questions were so common in these groups up to a few years ago.
Using parameters does away with all those issues. It amazes me that this is
not the tool of first resort when teaching beginners how to program with
databases.
There is only one situation where dynamic sql is necessary, and that is
where database objects (table or column names) referred to in a sql
statement need to be variable. In that situation, it is possible to prevent
sql injection by validating the data passed from the user contains nothing
more than the expected object names.
* and if you read the comments in the function you will see that it might
prevent the entry of innocent data.