Hello,

I have a PB Classic app that has some SQL injection problems. They are caused by some DESCRIBE statements, which as far as I know are related to duplicate detection in lists.

Anyway, the app was not developed by me and it builds a SQL SELECT query by text concatenation that is then used in a DESCRIBE statement, like this:
ls_sqlsyntax = "SELECT " + ls_fields + " FROM " + ls_table + " WHERE " + ls_where
PREPARE SQLSA FROM :ls_sqlsyntax USING SQLCA;
DESCRIBE SQLSA INTO SQLDA;
Whereas ls_where means:
ls_where = "(" + ls_dbname + " = '" + ls_valor + "')"

And ls_valor is a unscaped string that can contain a single-quote character (').
Is there an API function I can call to apropriately encode this type of characters?

Something like this exists in other programming environments, for example "mysql_real_escape_string" in PHP.

Thanks,
João Jerónimo