Hopefully doing more than just encoding/escaping -- never place user data directly into a SQL statement! Always use placeholders like ? or whatever your flavor of DB allows. And if it doesn't allow for that, really think hard about why you're using that db (or db sdk)!
Hopefully doing more than just encoding/escaping -- never place user data directly into a SQL statement! Always use placeholders like ? or whatever your flavor of DB allows. And if it doesn't allow for that, really think hard about why you're using that db (or db sdk)!
Fair, I just wanted to throw in something about security after making the questionably phrased statement of 'trust user input' :D