Special characters in SQL statements and prevention of SQL Injection

Some special characters in SQL statements are reserved by SQL statements. For example. We can first look at their usage.

When you need to query a certain data, add a condition statement, or when you need an insert record, we use 'to cause data of the character type. For example:
Select * from MERs where city = 'London'

When the table name or column name contains spaces and other special characters, We need to [] The table name to tell the syntax analyzer, [] is a complete name. For example

Select * from [Order Details]

What should I do if the character data contains? In fact, many people do not process the character "symbol" here, which may cause SQL Injection risks. The example above. In the era of SQL statement concatenation, such

String SQL = "select * from MERs where customerid = '" + temp + "'";

If I assign the Temp value to Tom 'or 1 = 1 ---
Then the statement you splice is select * from MERs where customerid = 'Tom 'or 1 = 1 ---'
Haha, 1 = 1 is true, --- comment out the following SQL statement. The preceding statement is valid because of input. The or condition Selects all records. This is SQL injection. If the problem is not handled during user login, your system may be vulnerable.
How does one process the 'symbol in character data? The method is very simple. replace one with two 'symbols. For example, if the actual input value is Lon 'Don
Select * from MERs where city = 'lon ''don'
You can.

What if the table or column name contains [or] characters? For example, if select * from [order] Details], the intermediate] symbol is not matched with the first. It is invalid. What should we do? Simple, use] instead of]. For [, you do not need to handle it. Then it should be
Select * from [order] Details].