The correct answer here is Yes, this is bad.

While I understand no one wants a Bobby Drop Tables situation, you handle this at the server side of the equation. You encode the character so that your DB system doesn't mistake it for a string delimiter.

Sigh.

#webshit101 #mygov #headdesk :thisisfine: