Don’t do it. You’re practically guaranteed to fail. Use PreparedStatement
(or its equivalent) instead.
More Related Contents:
- What is SQL injection? [duplicate]
- Why do we always prefer using parameters in SQL statements?
- How can prepared statements protect from SQL injection attacks?
- Java – escape string to prevent SQL injection
- Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
- How should I pass a table name into a stored proc?
- Difference between LIKE and ~ in Postgres
- REGEX to select nth value from a list, allowing for nulls
- Can parameterized statement stop all SQL injection?
- Best equivalent for IsInteger in SQL Server
- How to Split String by Character into Separate Columns in SQL Server
- oracle — Split multiple comma separated values in oracle table to multiple rows
- Regular Expressions in DB2 SQL
- Regular expression in PostgreSQL LIKE clause
- Regular expression to match common SQL syntax?
- Oracle 11g – Check constraint with RegEx
- Perform regex (replace) in an SQL query
- Regular Expression to Match All Comments in a T-SQL Script
- MSSQL Regular expression
- Only inserting a row if it’s not already there
- Stored Procedure with optional “WHERE” parameters
- subquery in FROM must have an alias
- SQL Between clause with strings columns
- Preventing SQL Injection in ASP.Net
- Why can’t I use column aliases in the next SELECT expression?
- How to count in SQL all fields with null values in one record?
- Check if table exists and if it doesn’t exist, create it in SQL Server 2008
- Creating a custom ODBC driver
- sql select with column name like
- Insert into from CTE