If Searching for Quotes Breaks Your Software

If Searching for Quotes Breaks Your Software

If your application errors out when someone enters ' or " into a form field, you probably have a SQL injection vulnerability. While SQL injection is dangerous, it's relatively straightforward to fix—though it may require significant rework depending on your codebase.

I won't go deep into prevention techniques here since there are already many great resources available. Instead, I want to point you toward the solution.

The Quick Fix

At minimum, escape all ' and " characters. PHP has functions like mysql_real_escape_string() (deprecated) for this purpose.

The Better Solution

Use PDO (PHP Data Objects) with prepared statements. This is the modern, secure approach.

Instead of concatenating user input directly into queries:

// Vulnerable - DON'T DO THIS
$sql = "SELECT * FROM users WHERE name = '" . $_POST['name'] . "'";

Use prepared statements:

// Safe - DO THIS
$stmt = $pdo->prepare("SELECT * FROM users WHERE name = :name");
$stmt->execute(['name' => $_POST['name']]);

Prepared statements separate SQL logic from data, making injection impossible regardless of what characters the user enters.

Resources

• PHP PDO Documentation
• OWASP SQL Injection Prevention