In this case prevalidation or filtering of user input is not a good idea, since you cannot know the wide range of quirks and exploits to guard against and you will make a mistake. It's better not having to worry about the effectiveness of an attack like that. There's a solution for that. Look into "parameterized" or "prepared" statements. Instead of baking user input right into your query string you use placeholders instead (pseudo code):
const statement = sql.prepare("SELECT user_password FROM users where username = :username")
...which are safely populated by calling a setter method on the prepared statement:
In this case prevalidation or filtering of user input is not a good idea, since you cannot know the wide range of quirks and exploits to guard against and you will make a mistake. It's better not having to worry about the effectiveness of an attack like that. There's a solution for that. Look into "parameterized" or "prepared" statements. Instead of baking user input right into your query string you use placeholders instead (pseudo code):
...which are safely populated by calling a setter method on the prepared statement:
That's just pseudo code for presenting the idea. You need to look up how this is done with your library or framework
Thank you, I've started using sqlite3 which has prepared statements built in 😀
You were very helpful
github.com/ignis-pwa/permissions_h...