SQL injection checks

[Red Squirrel]

I'm writing some C++ functions for ease of coding mySQL apps, in this case I'm writing a function to filter text that a user would input.

Other then these quotes: ' '

And these quotes: ``

What are other chars I should be watching out for or escaping?

Currently my code is just turning ' into \' and ` into \' as well. (it checks to see if there's already a \ there)

Anything else I should be checking out for as far as SQL injections or otherwise DB breaking goes?

 

[Zugzwang152]

escape out single and double quotes so that an attacker can't break up your sql query.

For mysql, see http://dev.mysql.com/doc/refma.../en/string-syntax.html for more information on special characters.

 

[RebateMonger]

Microsoft also has pages and pages of articles on how to examine code for SQL injection vulnerabilities. There was a thread about this on AT Forums a few months ago.

Here's one starting place.