lout — 2010-02-18T18:52:22-05:00 — #1
What's the best way to minimize potential risks like sql injection attacks, when site visitors add a link that goes directly into the database?
I can't just block all the characters since too many websites have all sorts of characters in their links. Do I just delete some that never seem to be used like quotes, etc.
dan_grossman — 2010-02-18T19:36:44-05:00 — #2
Actually, URLs can only contain 73 different characters:
- Uppercase letters (26)
- Lowercase letters (26)
- Numbers (10)
- These special characters: $-_.+!*'(), (11)
So stripping out anything else will go a long way to helping avoid cross-site scripting attacks. SQL injection attacks are mitigated by properly escaping strings before putting them into a SQL query -- most languages will provide a wrapper for MySQL's internal string escaping function, or use prepared statements which take care of it automatically.