Reputation: 664
SQL Safety with Whitelisting
On my app's registration page, there is a field for the user's name. I would like to prevent SQL injection attacks while allowing complex names like Aldéric D'Aurve-Sanct, which contain single quotes used as apostrophes.
If I whitelist the name using a regex string like this one, can I then use double quotes (which are not allowed in the name) to fully escape the string? In other words, is it safe to use a string containing single quotes, but not other control characters, when surrounded by double quotes? Are there any vulnerabilities which such simple solution might introduce?
Note: I don't want to use prepared statements in this instance.
Upvotes: 0
Views: 100
Answers (1)
Reputation: 4826
If you really can't use prepared statements, never escape yourself, there is functions to do it if you ever need it.
For example, if you use php PDO, use PDO::quote : https://secure.php.net/manual/en/pdo.quote.php
But, use prepared statements if possible :
- No need to blacklist
- No need to escape
- No risk of injection
- Everything is allowed
Upvotes: 1
Related Questions
- Options for Sanitizing SQL inputs Using JavaScript?
- Is this approach safe to SQL Injections?
- Is escaping SQL queries like this safe?
- Prevent SQL Injection in JavaScript / Node.js
- Safe Javascript/Sql connection
- PHP / JAVASCRIPT / Mysql: Preventing javascript injections
- sql injection - how to sanitize program generated sql clause?
- How to avoid SQL injection in a javascript text field?
- sanitize data for SQL with JavaScript
- Best Way to Prevent SQL Injection Using Javascript or C#?