Convert single quote (and more!) to help prevent SQL injection
Here is a working version of a form text box that will be subjected to a function that converts offending code to an XHTML entity that may be used in databases.
For example, single quotes ( ' ) will be converted to ( ' )
The function converts over 55 symbols like & ' § © ® ¦ < > ¶ ½ and over 130 entity names like < > – — ‘ ’ ‚ “ to entity numbers that will work with all databases and XML files. This was written originally to convert our Blog posts to RSS feeds. Many users compose in MS Word and although we strip out most non-compliant MSO code some symbols like left-hand and right-hand quotes sneak through. This function solved that problem.
The function is named TWD_StripHTML and its use is simple. Call the function when requesting the field name prior to use in a database update or RSS insert script like this:
<% field_name = TWD_StripHTML(request.form("field_name")) %>
NOTE: Little can be done to prevent the determined hacker from attacking your site and these code examples are only one of a series of preventative measures that you could take. Please check with your web developer or other security expert to make sure your site is fully protected and that these script examples will be effective for you in your code and database environment.
To convert wholesale code to entities use our Entity Converter or check out this PDF reference chart.