Reputation: 1219
Safe user input
I have read many forum (and stack overflow) posts regarding escaping characters and sanitizing user input, but I'd like to tie it all together and make it a little more specific to the Android platform. Here's my circumstance:
I have an Android app that communicates with a web service via SOAP XML messages. Here's a sample XML message that might be sent (I'm leaving out the SOAP envelope around it):
<Log>
<Summary>user entered text</Summary>
<Details>user entered text</Details>
</Log>
As you can see, there are 2 places a user can input text in a form that is then inserted into this message to be sent to the web service. I need to:
A) make sure it's valid XML and
B) make sure it doesn't contain any malicious SQL content.
Are there any pre-included utilities in the Android API to escape invalid XML chars (such as &) that the user may have entered? (So that I can simply say "escapeXML(xmlstring);" or something like that)
Is there any way to check for malicious SQL (or other code injection) or should that be handled on the server-side?
As a side note: I'd almost prefer that the user was only able to enter A-z, 0-9 and basic punctuation (so as to avoid weird unicode characters that can't even be seen or interpreted sometimes). Is there a good way to restrict user input to a subset of characters?
I know this is a couple questions built into one, so if you only know part of it, please provide an answer anyways and I will be more than happy to upvote or accept it. Thanks in advance for all the help! (StackOverflow is where I come when I've consumed way too many forum threads and have gotten myself all twisted around about what is appropriate in my circumstance)
Upvotes: 1
Views: 506
Answers (1)
Reputation: 58615
The best way to deal with SQL Injection is using parameterized queries. This is done on the server side. Everything else is secondary, unnecessary or barely scratches the surface of the issue.
You should read these:
- Safe DateTime in a T-SQL INSERT statement
- problem in inserting the value in the database
- http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html
On Jeff Atwood's blog, I like where he says:
Non-parameterized SQL is the GoTo statement of database programming.
Upvotes: 3
Related Questions
- SQL Injection issue for User Input
- android: how do I replace SQLite execSQL() to avoid injection attack?
- how to prevent sql injection attack in android?
- What makes an Android application vulnerable to SQL Injection?
- How to prevent sql injection in loop through VALUES
- How should I sanitize database input in Java?
- Is this Android SQL statement vulnerable to SQL injection?
- Content Values and SQL injection
- SQL parameterized queries in Android
- Avoiding SQL Injection