What are the special characters; I should not allow the user to enter in text box field for security reasons.
Asked
Active
Viewed 2,234 times
-3
-
Check out SQL special characters: http://stackoverflow.com/questions/712580/list-of-special-characters-for-sql-like-clause – Gareth Oct 09 '12 at 22:14
2 Answers
6
SQL Injection can more reliably be prevented by using prepared statements like the following. If you can't use this pattern, the second best method would be to "white list" the good characters instead of "black listing" the prohibited characters.
.NET
String query =
"SELECT account_balance FROM user_data WHERE user_name = ?";
try {
OleDbCommand command = new OleDbCommand(query, connection);
command.Parameters.Add(new OleDbParameter("custrName", CustName Name.Text));
OleDbDataReader reader = command.ExecuteReader();
// …
} catch (OleDbException se) {
// error handling
}
Java
String custname = request.getParameter("customerName");
String query = "SELECT account_balance FROM user_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
You can consult OWASP SQL Injection Prevention Cheat Sheet for more examples of prepared statements and the OWASP Input Validation Cheat Sheet to learn more about white listing if you're absolutely set on white listing/black listing.
xelco52
- 5,257
- 4
- 40
- 56
0
mysql_real_escape_string($string) (PHP) will do that job for you. You don't have to filter data.
Mostly the ' (single quote) and " (double quote) will give troubles without escapes.
Jordi Kroon
- 2,607
- 3
- 31
- 55
-
thanks Jordi, all the backend part is fine. this is I am asking general question, if I need to do validation. what are the character I should not allowed to enter? How about the following character, are they OK / \ : ? [ ] ; – skystar Oct 09 '12 at 22:40