Hello,

I've two questions regarding SQL security in the context of web scripting.

Q1: Are there any characters that can possibly damage or corrupt a table's data?

My understanding is that there's no danger so any kinds of input can be inserted into a table. But when these characters are displayed on a web page, the characters need to be unescaped ( e.g. a double quote " becomes " ) or else they can mess up the page's display. Worse, malicious code can be injected to allow unauthorised viewing of files or access to the server's resources.

Q2: When an input (QUERY) is used in a query e.g. (SELECT * FROM users WHERE username=QUERY), the input needs to be checked to ensure that no no malicious code is injected.

Could anyone enlighten me on the above?

Thanks in anticipation

Question 2 is not so much a question, more a statement of fact. So here's something for you to read on the subject.

Search for SQL injection on the web. there are some great movies on you tube about this