First of all, it’s just bad practice. Input validation is always necessary, but it’s also always iffy. Worse yet, blacklist validation is always problematic, it’s much better to explicitly and strictly define what values/formats you accept. Admittedly, this is not always possible – but to some extent it must always be done. Some research papers … Read more
The node-mysql library automatically performs escaping when used as you are already doing. See https://github.com/felixge/node-mysql#escaping-query-values
tl/dr Always. 100% of the time, use it. Always; and even if you don’t need to use it. USE IT STILL. mysql_* functions are deprecated. (Notice the big red box?) Warning This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used. See … Read more
When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping functions such as mysql_real_escape_string. Yes, mysql_real_escape_string is effectively just a string escaping function. It is not a magic bullet. All it will do is escape dangerous characters in … Read more
There are no “illegal” characters for the database. Database that cannot store some characters is a nonsense. There are some service characters, like quotes, used to delimit strings. These characters should be just escaped, not eliminated. To send a query to the database, you have 2 options: Build a query usual way, to make it … Read more
The idea of a generic sanitation function is a broken concept. There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it – escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation … Read more
XSS JSF is designed to have builtin XSS prevention. You can safely redisplay all user-controlled input (request headers (including cookies!), request parameters (also the ones which are saved in DB!) and request bodies (uploaded text files, etc)) using any JSF component. <h:outputText value=”#{user.name}” /> <h:outputText value=”#{user.name}” escape=”true” /> <h:inputText value=”#{user.name}” /> etc… Note that when … Read more
PreparedStatements are the way to go, because they make SQL injection impossible. Here’s a simple example taking the user’s input as the parameters: public insertUser(String name, String email) { Connection conn = null; PreparedStatement stmt = null; try { conn = setupTheDatabaseConnectionSomehow(); stmt = conn.prepareStatement(“INSERT INTO person (name, email) values (?, ?)”); stmt.setString(1, name); stmt.setString(2, … Read more
My stab at it. Tried to keep it as simple as possible, while still maintaining some real-world conveniences. Handles unicode and uses loose comparison for readability. Be nice 😉 <?php header(‘Content-type: text/html; charset=utf-8’); error_reporting(E_ALL | E_STRICT); ini_set(‘display_errors’, 1); // display_errors can be changed to 0 in production mode to // suppress PHP’s error messages /* … Read more
Use parameterized SQL. Examples (These examples are in C#, see below for the VB.NET version.) Replace your string concatenations with @… placeholders and, afterwards, add the values to your SqlCommand. You can choose the name of the placeholders freely, just make sure that they start with the @ sign. Your example would look like this: … Read more