0

I need to send from the client to server an object with a string property named "description", the user changes this string and I send it to the server in the body request, at the moment the FW attack the request by sql injection because the user enter ' or " for example - { "description": "example'example "example";", "id": "9;206", "price": 56.51, }

**I do not want to omit the characters from the string because they have meaning what is the correct way to send this string securely?

Adi hahamov
  • 11
  • 2
  • Does this answer your question? [Can I escape html special chars in javascript?](https://stackoverflow.com/questions/6234773/can-i-escape-html-special-chars-in-javascript) – snakecharmerb Sep 03 '20 at 11:15
  • Your question has nothing to do with how to send the characters. You need to avoid SQL injection by not evaluating random strings as if they're legal SQL. You do that by using SQL bindings, not by escaping characters. If you have SQL like `SELECT * WHERE x = $someVariable` then don't do that. Use `WHERE x = ?` and then bind the variable in a prepared statement. – Rob Napier Sep 04 '20 at 19:03
  • The problem is that the request is not sent to the server, it falls before with 403 error. – Adi hahamov Sep 06 '20 at 06:45

0 Answers0