User input validation for avoiding security vulnerability and what else to check before storing in db

Question

I am working on backend .NET API, and I receive a userName as text field. I would like to store this data into the database. Now, what are the validations needed to be done on this field?

E.g. length check (256 char maybe), forbidden chars (";", "/"", etc) and what else before I store this data in the database?

I want to make sure it's secure so to avoid any type of SQL injection or any malicious thing, I would like to know what are the best practices or what needs to be done to this string.

Also, I would like to support all Unicode char.

Thank you.

I tried,

Length check 256 chars
Forbidden char check { ';', ''', '"', '\b', '\r', '\n', '\t', '\0', '\x1a' };

Expecting what else to check before I take user name string to database.

https://jonathancrozier.com/blog/preventing-sql-injection-in-c-sharp-applications — Zach W, Apr 02 '23 at 04:07

score 0 · Answer 1 · answered Apr 02 '23 at 09:40

Maybe instead of thinking about what character should be forbidden you should define only the characters that are allowed via annotation validation. This way you can secure yourself without specifying all the forbidden characters.

[RegularExpression("^[a-zA-Z]+$", ErrorMessage = "The username field can 
only contain uppercase and lowercase letters.")]

User input validation for avoiding security vulnerability and what else to check before storing in db

1 Answers1