Apostrophe in Alpha Tag throws SQL error

[w2lie]

I attempted to add an apostrophe into an alpha tag using the import function and the result was a SQL error. Removing the apostrophe from the alpha tag allowed me to import correctly.

For security reasons, I don't think I should put the SQL output in a public forum, but if anyone want to try, this is the line that cause the failure:

152.45  167.9 PL  Stuart's Taxi (Westbury)  Stewart's  WQTP682  FMN  BM  Business

 

[eorange]

This is a telltale sign of a SQL injection attack vulnerability.

 

[QDP2012]

Apostrophe's should not be allowed (as commands, at the injection-point). In other DBMSs, that is a serious vulnerability, and likely is here (in the above described situation), too.

 

[eorange]

An apostrophe can certainly be allowed. That's not the problem.

The problem is whomever wrote the software that updates the database didn't prevent user input from being interpreted as literal SQL commands.

 

[QDP2012]

An apostrophe can certainly be allowed. That's not the problem.

The problem is whomever wrote the software that updates the database didn't prevent user input from being interpreted as literal SQL commands.

Correct. I added clarification to my earlier statement which should have been included originally.

 

[DaveNF2G]

The solution is to put two apostrophes (not a double quote) where you want one to appear in the data.

"Stuart''s Taxi" should work.