prevent SQL injection using html only

Question

Am trying to validate the inputs for a comment box in order to accept only text, and to alert a message if the user entered number (1-0) or symbol (@ # $ % ^ & * + _ = ). to prevent SQL injection

is there is a way to do that in html

Answer 1

You can never trust what comes from the client. You must always have a server side check to block something such as an SQL injection.

You can of course add the client side validation you mentioned but it's only to help users not enter junk data. Still can't trust it once it's sent to the server.

Answer 2

On using Javascript/HTML to improve security

is there is a way to do that in html

No. As others have pointed out, you cannot increase security by doing anything in your HTML or Javascript.

The reason is that the communication between your browser and your server is totally transparent to an attacker. Any developer is probably familiar with the "developer tools" in Firefox, Chrome etc. . Even those tools, which are right there in most modern browsers, are enough to create arbitrary HTML requests (even over HTTPS).

So your server must never rely on the validity of any part of the request. Not the URL, not the GET/POST parameters, not the cookies etc.; you always have to verify it yourself, serverside.

On SQL injection

SQL injection is best avoided by making sure never to have code like this:

 sql = "select xyz from abc where aaa='" + search_argument + "'"  # UNSAFE
 result = db.execute_statement(sql) 

That is, you never want to just join strings together to for a SQL statement.

Instead, what you want to do is use bind variables, similar to this pseudo code:

 request = db.prepare_statement("select xyz from abc where aaa=?")
 result = request.execute_statement_with_bind(sql, search_argument)

This way, user input is never going to be parsed as SQL itself, rendering SQL injection impossible.

Of course, it is still wise to check the arguments on the client-side to improve user experience (avoid the latency of a server roundtrip); and maybe also on server-side (to avoid cryptic error messages). But these checks should not be confused with security.

Answer 3

Short answer: no, you can't do that in HTML. Even a form with a single check box and a submit button can be abused.

Longer answer...

While I strongly disagree that there's nothing you can do in HTML and JavaScript to enhance security, a full discussion of that goes way beyond the bounds of a post here.

But ultimately you cannot assume that any data coming from a computer system you do not control is in any way safe (indeed, in a lot of applications you should not assume that data from a machine you do control is safe).

Your primary defence against any attack is to convert the data to a known safe format for both the sending and receiving components before passing it between components of your system. Here, we are specifically talking about passing data from your server-side application logic to the database. Neither HTML nor JavaScript are involved in this exchange.

Moving out towards the client, you have a choice to make. You can validate and accept/reject content for further processing based on patterns in the data, or you can process all the data and put your trust in the lower layers handling the content correctly. Commonly, people take the first option, but this gives rise to new security problem; it becomes easy to map out the defences and find any gaps. In an ideal world that would not matter too much - the deeper defences will handle the problem, however in the real world, developers are limited by time and ability. If it comes down to a choice of where you spend your skills/time budget, then the answer should always be on making the output safer over validating input.

Answer 4

The question seems to be more straight forward, but i keep my answer the same as before:

Never validate information on the clientside. It makes no sense, because you need to validate the same information with the same (or even better) methods on the server! Validating on Clientside only generates unnecessary overhead as the information from a client can not be trusted. Its a waste of energy.

If you have problems with users sending many different Symbols but no real messages, you should shut down your server immideately! Because this could mean that your users try to find a way to hack into the server to gain control!

Some strange looking special character combinations could allow this if the server doesn't escape user input properly!

In short: HTML is made for content display, CSS for design of the content, Javascript for interactivity and other Languages like Perl, PHP or Python are made for processing, delivering and validation of information. These last called Languages normally run on a server. Even if you use them on a server you need to be very carefull, as there are possible ways to render them useless too. (For instance if you use global variables the wrong way or you dont escape user input properly.)

I hope this helps to get the right direction.