Escaping Single quote instead of using parameterized query

A coworker and I are having a discussion regarding this. All best practice guides highly recommend to use parameterized sql to prevent sql injection. I know building sql using string concatenation and escaping single quotes is not recommended and may introduce sql injection vulnerability and I’ve seen many theories regarding unicode/hexadecimal etc, however, can anyone help me prove to my coworker with a simple example how one would use sql injection if if one is simply escaping ‘ (single) with ” (double)?

Thanks in advance,

submitted by /u/Overlord001
[link] [comments]

Leave a Reply