I have a javascript code that access a sqlite3 database. I would like to validate my text field value and prevent SQL injection. Is there an "optimum algorithm" for that?
--update: I'm developing a Xulrunner desktop application. Maybe I should use the database in the xpcom component, which is compiled (written in C), so the user will not have access to it..
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
As with regular SQL injection, blind SQL injection attacks can be prevented through the careful use of parameterized queries, which ensure that user input cannot interfere with the structure of the intended SQL query.
Typically SQL injection is avoided using parameterized SQL statements.
Here's an MSDN article describing how you would do this.
Here is another article that describes several ways you can prevent sql injection.
SQL injection prevention is done at the server side, there is nothing you can do on the client side to prevent it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With