I've two questions regarding SQL security in the context of web scripting.
Q1: Are there any characters that can possibly damage or corrupt a table's data?
My understanding is that there's no danger so any kinds of input can be inserted into a table. But when these characters are displayed on a web page, the characters need to be unescaped ( e.g. a double quote " becomes " ) or else they can mess up the page's display. Worse, malicious code can be injected to allow unauthorised viewing of files or access to the server's resources.
Q2: When an input (QUERY) is used in a query e.g. (SELECT * FROM users WHERE username=QUERY), the input needs to be checked to ensure that no no malicious code is injected.