Should I block certain characters from my EditTexts for security reasons?

Question

I've been programming for about 6 months now, but also did a bit if code about 10 years ago. I remember back then I had to block some characters from text fields for security purposes, so people won't type in some code that would cause harm.

Is it still relevant in 2019? Should I be worried about anything of that sort?

I am using Cloud Firestore as my server.

My app would allow all languages, so I can't limit what characters ARE allowed as there are way too many.

If there is no security risk I have no need to validate my text. Any text is fine for me. I s just want to know if I should be worried from a user uniting some text that would break something.

Possible duplicate of [Android: How can I validate EditText input?](https://stackoverflow.com/questions/2763022/android-how-can-i-validate-edittext-input) — bart, Jul 11 '19 at 05:47
@bart those are different questions. I don't need to validate anything. I just want to know no one can break it with a certain input. — Tsabary, Jul 11 '19 at 05:50
There is not a Securiy risk . The only risk i see here is of Undefined chars can be shown in your app .. For instance a Message can contains most of all chars even Emojis but on other hand a Email can't or a Name field.. In this case breakage comes in when your TexttField is not able to draw the Emojis. — ADM, Jul 11 '19 at 06:02
@ADM Thank you! I do limit characters in fields like email, mobile number etc when the amount of allowed characters is obvious. I was wondering more about message's body and title. Your reply answered my question, If you would write it as an answer I'll accept it. — Tsabary, Jul 11 '19 at 06:06
May be you want to refer this to SQL injection? When you can type some special characters and possible get information from DB. You can check this question for further information https://stackoverflow.com/q/48377034/1050058 — Trung Nguyen, Jul 11 '19 at 06:55

score 0 · Answer 1 · answered Jul 11 '19 at 05:50

0

Yes you can do that You need to pass list of allowed character in android:digits=""

E.g.

below i am allowing only a to z and A to Z chars.

<EditText
    android:id="@+id/editText1"
    android:digits="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
    android:layout_width="fill_parent"
    android:layout_height="wrap_content" />

answered Jul 11 '19 at 05:50

Hardik Bambhania

1,732
15
25

That is not the question. I am well aware of how to use the `digits` field. My question is about security, and whether limiting is even needed. – Tsabary Jul 11 '19 at 05:51

score 0 · Accepted Answer · answered Jul 11 '19 at 07:46

In terms of security, you should never trust client code, and only trust server code. Code running on the client could be compromised. Any time an end user is executing code on a device they control, it is possible that they could have changed the way the app works, or even the way the device works.

In this case, instead, you should be using security rules to limit what data can be added to the database, or send data through a backend you control so that it can securely check.

Should I block certain characters from my EditTexts for security reasons?

2 Answers2