Chances are if you are using a database and your application errors out when you enter ‘ or ” into a field and you get an error this usually means your prone to SQL injection. While SQL injection is very dangerous it’s relatively simple to resolve. Now I say its simple but it could mean lots of re-work for you.
I don’t want to talk about how to prevent and cure SQL injection. But, I want to show a solution to this problem. There are already so many great resources out there on how to resolve this issue.
Really the best quick thing you can do is escape all ” and ‘. PHP has a lot of really useful commands to carry out this like mysql_real_escape_string(deprecated) But, probably the biggest thing that can be done is to use PDO(PHP Data Objects).
This sample query
$sql = <<<SQL SELECT * FROM users WHERE users.id = ‘123’; SQL;
would turn into something like this
$sql = <<<SQL SELECT * FROM users WHERE users.id = :user_id SQL; $sth = $dbh->prepare($sql); $sth->execute([‘:user_id’ => ‘1234’]); $results = $stmt->fetchAll(PDO::FETCH_ASSOC)
Some useful links: