Reputation: 429
Is proper validating user input not sufficient to prevent sql injection
I know sql injection can be done if I am taking input from user like user_name and password. SQL prepared statement are advised to use to prevent sql injection but what if I am doing proper validation of input by user before doing sql operations..
in user name input field a user can try to inject by following way
[email protected] or '1'='1'
or
[email protected]; DROP ........(sql query to drop db, delete tables etc.)
but if I am validating user email and if email is not according to rule then no database interaction will be done.
like this I can also validate password which cannot contain spaces.
So my question is this if I am validating each input by user then can someone still do sql injection in my database.
Upvotes: 0
Views: 741
Answers (1)
Reputation: 33538
No, because you can never be sure you've filtered the right stuff.
Additionally, you are severely limiting the input to your application if you're disallowing certain characters.
For example, imagine if StackOverflow filtered out <script> entered in its text boxes.
If you're disallowing spaces in passwords I'll just set my password to be:
Robert');/**/DROP/**/TABLE/**/STUDENTS;--
Also, what if my email address was:
"' OR '1' = '1'--"@example.com
? (This is perfectly valid according to the RFC.)
Upvotes: 1
Related Questions
- Preventing SQL injection insert into
- Is this a safe way to prevent sql injections?
- Protect against SQL injection
- SQL Injection PHP: Do I need to validate the user input using parameterized queries?
- Will this SQL injection prevention work in theory?
- Is this a safe way to secure against sql injection?
- Preventing SQL injection using ONLY php
- Do I need to check for sql injection even on validated inputs?
- PHP protecting itself from SQL injections?