Can I prevent MySQL injection if I do not allow to use simbols in the form?

Question

Just a stupid question: I know very well how to prevent MySQL Injection using PDO and MySQLi, but Can I prevent it if I just do not allow symbols in the forms?

I mean: If I use something like:

<input name="txt_user" id="txt_user" pattern="[a-zA-Z0-9-]+">

Can this prevent MySQL Injection?

Thanks in advance for your answers!!!

using the `pattern` attribute to prevent sql injection? (storm of downvotes coming up) — Kevin, Nov 30 '16 at 00:56
*"Could be this be a workaround?"* - for what? I don't think this question should be about sql injection but which characters you want to allow. — Funk Forty Niner, Nov 30 '16 at 00:58
I will edit the question to remove the workarround... Its a long history! — Luis Gerardo Runge, Nov 30 '16 at 00:59
@LuisGerardoRunge just change the question accordingly, if you're trying to filter certain patterns / characters, never trust front end validation, do that on the server — Kevin, Nov 30 '16 at 01:01
If I only allow to use A-Z a-z 0-9, there is no way to write someting like: `value'); DROP TABLE table;--` — Luis Gerardo Runge, Nov 30 '16 at 01:02
this question is starting to reveal/unveil itself into "unclear/too broad" in comments. — Funk Forty Niner, Nov 30 '16 at 01:03
@LuisGerardoRunge they don't need a form html if they intend to drop your tables — Kevin, Nov 30 '16 at 01:03
@Fred -ii- What's up? do you look at all the comments to see in which of them you can give negative feedback? And do not bring anything, you just say that this question begins to be .... I said I know how to prevent it, and also mention that it was a silly question, but I'm curious to know, can I be curious? Can I ask people who know? but thanks anyway — Luis Gerardo Runge, Nov 30 '16 at 01:12
Possible duplicate of [JavaScript: client-side vs. server-side validation](http://stackoverflow.com/questions/162159/javascript-client-side-vs-server-side-validation) — Funk Forty Niner, Nov 30 '16 at 01:15
Had I known you'd accept that answer, I'd of closed this right away. — Funk Forty Niner, Nov 30 '16 at 01:15
I insist, if you are going to participate, contribute with something! — Luis Gerardo Runge, Nov 30 '16 at 01:20

score 2 · Accepted Answer · edited May 23 '17 at 10:30

2

No. There is nothing preventing the user from editing the HTML of the page and removing that attribute.

Validation should always be done on the server side. See also

edited May 23 '17 at 10:30

Community

1
1

answered Nov 30 '16 at 01:01

Andrei Savin

2,350
4
26
40

Thanks you Andrei, that's is a good reason, Obviously it is safer to validate on the server and for some reason, I had not noticed that detail, but thanks for refreshing my memory – Luis Gerardo Runge Nov 30 '16 at 01:17

Can I prevent MySQL injection if I do not allow to use simbols in the form?

1 Answers1