Optimal Way to Store data in MySQL from .NET

Question

I am collecting user input with a .NET application. The data is send to a MySQL Database and stored there. When needed, the data is requested from the .NET app and printed in the GUI. This all works fine and flawless.

Till now i was making a direct DB connection from my local .NET app to the remote DB. As this is not a good idea i want to put a 'request-handler' in between now: a simple .php file which checks the user privileges before the required action.

As i want to cover several flaws with this new implementation, im thinking what would be the best options to achive the following:

1. prevent that the user puts illegal characters inside the DB
2. keep the data-packages as small as possible
3. easily read & write the data-packages to/from the DB

I have to admit that i am new to mysql/php and DBs in general. But my research till now brought me to the keywords JSON and XML.

Could somebody tell me which of these, is more convienent for me to use? As the package-size is not the most important, more especially the 'illegal-character' prevention should work flawless... Am i on the right track with using XML? Any suggestion reagarding my issues are greatly appreciated!

Answer 1

prevent that the user puts illegal characters inside the DB

I assume you mean SQL Injection here, right?

To give you an idea of what is possible via SQL Injection, then read MySQL SQL Injection Cheat Sheet.

To mitigate the risk of SQL Injection you need to use prepared statements and parameterized queries as described in the accepted answer to How can I prevent SQL injection in PHP?.

keep the data-packages as small as possible

JSON will generate smaller messages than XML, but the support for encoding to JSON will be less readily available, if at all.

easily read & write the data-packages to/from the DB

MySQL has an XML data type. Learn how to use this type by reading the accepted answer of How do I store XML data into a mysql database?.