0

What is best practice for "input validation" to avoid "client side injection" (M4) of malicious code. Specifically I am referring to textfields where the user can enter text as part of a chat functionality. One solution is to replace certain characters as per this answer. The challenge then is to still allow the ever so popular emojis, while still removing malicious code. What is the recommended code for validating input in a UITextfield ?

Community
  • 1
  • 1
KML
  • 2,302
  • 5
  • 26
  • 47
  • Don't ever insert user entered text into sql with simple substitution. What precisely is your concern? – Paulw11 Jul 16 '16 at 13:24
  • Can you please elaborate ? And if possible suggest solutions/answers ? My concern is that a user input something that cause harm / is interpreted on client or server as anything else than a chat message. – KML Jul 16 '16 at 13:25
  • It depends on the frameworks etc that you are using but if you do something silly like `insert into sometable value \(userinput)` then injection is a risk. If you use prepared statements and then associate the user input with the placeholder then injection isn't a problem; the precise solution depends on the database framework you are using – Paulw11 Jul 16 '16 at 13:29
  • Database is mongoDB. What do you mean by "simple substitution"and "If you use prepared statements and then associate the user input with the placeholder then injection isn't a problem" – KML Jul 16 '16 at 13:30
  • So that is a nosql database. You communicate with rest/JSON so injection isn't a risk; the operation verb is in the URL, not in the JSON data – Paulw11 Jul 16 '16 at 13:38
  • What I mean by simple substitution is that injection attacks typically succeed because user input is just inserted into an SQL statement and if the string contains `';` then it would terminate the current statement and allow the user to execute another. Modern SQL interface frameworks allow you to specify the Sao statement and then separately specify the data values. This allows the code to know what is a command and what is data, avoiding the possibility of injection. – Paulw11 Jul 16 '16 at 13:42

0 Answers0