There are names like O'Conner... or fields that could take possessive words
like Mothers' Helpers.
I couldn't use field = replace(request("field"),"'","''") on the forms on
many of the sites I have designed and must 'loop through' (parse) the input
data more intelligently.
This is a normal part of designing and programming input forms for public
consumption. All the suggestions here have been good ones, each useful in
different situations. This isn't a bug IMHO... but it is the best arguement
for using <option> pick lists on forms that are going to generate SQL
selects.
Peace,
Mike
>
>I am leaning towards sending this to bugtraq as the prevailing opinion
>seems to be that checking this data is an inconsequential feature, and
>the security implications seem to have escaped most programmers. The
>principle is a really basic one, ALL data received from untrusted
>users MUST be checked completely before use in trusted contexts like
>SQL queries.
>
>greg
>