apostrophe

SQL INJECTION - Connector

Hi

I am having trouble avoiding sql injection through connectors. I happen to send as a parameter, a field in a form that is used by my clients as an input for comments and observations. They started inserting apostrophes characters ( ' ) which are the ones used in postgresql (my database) in functions.

So let's say i Call my function like Select approveRequest('$req_no', '$name', '$observations');

The variable observations is mapped to a text area input where my user inserted code like "PRODUCT DESCRIPTION: 2LT 2x2' KETCHUP"

Notifications