First of all, it’s just bad practice. Input validation is always necessary, but it’s also always iffy.
Worse yet, blacklist validation is always problematic, it’s much better to explicitly and strictly define what values/formats you accept. Admittedly, this is not always possible – but to some extent it must always be done.
Some research papers on the subject:
- http://www.imperva.com/docs/WP_SQL_Injection_Protection_LK.pdf
- http://www.it-docs.net/ddata/4954.pdf (Disclosure, this last one was mine 😉 )
- https://www.owasp.org/images/d/d4/OWASP_IL_2007_SQL_Smuggling.pdf (based on the previous paper, which is no longer available)
Point is, any blacklist you do (and too-permissive whitelists) can be bypassed. The last link to my paper shows situations where even quote escaping can be bypassed.
Even if these situations do not apply to you, it’s still a bad idea. Moreover, unless your app is trivially small, you’re going to have to deal with maintenance, and maybe a certain amount of governance: how do you ensure that its done right, everywhere all the time?
The proper way to do it:
- Whitelist validation: type, length, format or accepted values
- If you want to blacklist, go right ahead. Quote escaping is good, but within context of the other mitigations.
- Use Command and Parameter objects, to preparse and validate
- Call parameterized queries only.
- Better yet, use Stored Procedures exclusively.
- Avoid using dynamic SQL, and dont use string concatenation to build queries.
- If using SPs, you can also limit permissions in the database to executing the needed SPs only, and not access tables directly.
- you can also easily verify that the entire codebase only accesses the DB through SPs…