On Sat, 2 Sep 2006 18:33:16 +0000 (UTC),
(Paul Tomblin) wrote:
My favourite is the programmers who forget to escape single quotes when
they're inserting into SQL databases, so everybody with an apostrophe in
their name like an O'Rielly or O'Hara gets an error.

On my first SQL based system, I did that, but I soon realized my
mistake during testing with real user names...

Usually these are the same web programmers who don't protect
against "SQL Injection Attacks" - they take the name you
insert, and stick it into an SQL statement doing a
"insert into user_data values('" + name + "');"
which you can then do major damage by inserting your name as
"a');drop database;" or
"a');delete from user_data;"
or something similarly nasty.

Hmmm... Interesting... I don't think I tried that one... I tended to
use stored procedures that would get called from the web interface and
the insert would be of this format:

insert MY_TABLE (
FIELD_1,
FIELD_2,
FIELD_3
) values (
@VALUE_1,
@VALUE_2,
@VALUE_3
)