0

INTRODUCTION AND RELEVANT INFORMATION:

I have an edit control in which user should enter a company name. Edit control is locale aware.

PROBLEM:

I wish to properly protect it from SQL injection attacks and from user entering nonsense characters.

MY EFFORTS TO SOLVE THE PROBLEM:

I was thinking of discarding colon, and semicolon in my subclassing procedure in response to WM_CHAR, and to perform the validation again in response to EN_CHANGE. If problem occurs I would inform the user and disable "Save" button.

Since my application is locale aware, I need locale aware functions for testing the input character.

So far I have found IsCharAlpha and IsCharAlphaNumeric which seem locale aware ( my English is not the best so maybe I have misread the MSDN documentation, I apologize for that ).

I have also searched here for similar questions but found none.

QUESTION:

Will discarding semicolon only do the trick, or I need to take some other characters into consideration?

Am I on the "right track" with subclassing + EN_CHANGE or is there a better way to achieve this? If there is can you point me in the right direction?

Thank you.

Best regards.

AlwaysLearningNewStuff
  • 2,939
  • 3
  • 31
  • 84

1 Answers1

1

SQL Injection attacks only occur when you create SQL statements dynamically using user input without validating/escaping the input first. Don't create SQL statements dynamically! Use parameterized queries or stored procedures, then there is no risk of SQL Injection at all.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • I am using `ADO` and the `Command Object` to execute parametrized query. I was wondering if I should restrict some characters from the user input just to be safer? Some illogical ones like `;` or `%`... Based on your answer I think I am already "on the safe side", so I am interested if invalid character restriction can bring me even greater security? Thank you for answering. Upvoted. Best regards! – AlwaysLearningNewStuff Mar 20 '14 at 04:04
  • A parameterized query will handle that for you. Characters like `;` and `%` are perfectly safe and will get posted as-is without breaking the SQL, as the query parameters will handle the necessary escaping for you. For other characters, like foreign language characters, either the SQL will fail with an error, or more likely the characters will simply get converted to something else, based on the database/field's configured charset. If you want to preserve the user's input, you should use a Unicode charset for the database, and submit the parameter values using Unicode strings. – Remy Lebeau Mar 20 '14 at 05:23