Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is htmlencoding a suitable solution to avoiding SQL injection attacks?

Tags:

security

sql

sql-injection

I've heard it claimed that the simplest solution to preventing SQL injection attacks is to html encode all text before inserting into the database. Then, obviously, decode all text when extracting it. The idea being that if the text only contains ampersands, semi-colons and alphanumerics then you can't do anything malicious.

While I see a number of cases where this may seem to work, I foresee the following problems in using this approach:

  • It claims to be a silver bullet. Potentially stopping users of this technique from understanding all the possible related issues - such as second-order attacks.
  • It doesn't necessarily prevent any second-order / delayed payload attacks.
  • It's using a tool for a purpose other than that which it was designed for. This may lead to confusion amongst future users/developers/maintainers of the code. It's also likley to be far from optimal in performance of effect.
  • It adds a potential performance hit to every read and write of the database.
  • It makes the data harder to read directly from the database.
  • It increases the size of the data on disk. (Each character now being ~5 characters - In turn this may also impact disk space requirements, data paging, size of indexes and performance of indexes and more?)
  • There are potential issues with high range unicode characters and combining characters?
  • Some html [en|de]coding routines/libraries behave slightly differently (e.g. Some encode an apostrophe and some don't. There may be more differences.) This then ties the data to the code used to read & write it. If using code which [en|de]codes differently the data may be changed/corrupted.
  • It potentially makes it harder to work with (or at least debug) any text which is already similarly encoded.

Is there anything I'm missing?
Is this actually a reasonable approach to the problem of preventing SQL injection attacks?
Are there any fundamental problems with trying to prevent injection attacks in this way?

like image 715
Matt Lacey Avatar asked Mar 10 '10 10:03

Matt Lacey

People also ask

Which methods can be used to avoid SQL injection?

The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

What are the solution for injection attacks?

How to prevent SQL injection attacks. Avoid placing user-provided input directly into SQL statements. Prefer prepared statements and parameterized queries, which are much safer. Stored procedures are also usually safer than dynamic SQL.

What is HTML injection attack?

HTML Injection also known as Cross Site Scripting. It is a security vulnerability that allows an attacker to inject HTML code into web pages that are viewed by other users.

1 Answers

You should prevent sql injection by using parameter bindings (eg. never concatenate your sql strings with user input, but use place holders for your parameters and let the framework you use do the right escaping). Html encoding, on the other hand, should be used to prevent cross-site scripting.

like image 157
Klaus Byskov Pedersen Avatar answered Nov 15 '22 08:11

Klaus Byskov Pedersen
Sign in to Comment

Related questions

Insufficient privileges when creating a trigger for a table in another schema
SQL Help: Counting Rows in a Single Query With a Nested SELECT
What's your favored method for debugging MS SQL stored procedures?
Best way to find free space in sql server databases?
Simulating MySql's password() encryption using .NET or MS SQL
What is a SQL statement to select an item that has several attributes in an item/attribute list?
DB2 SQL code to extract stored procedures
SQL - SELECT MAX() and accompanying field
How do I use a comma separated list of values as a filter in T-SQL?
Oracle SQL Developer: sharing configuration via Dropbox
How do I make schema changes to a mirrored database?
Is there a way to return multiple results with a subquery?
Hibernate subquery
How to know where AS keyword should be used?
Proving SQL Injection
row order when inserting multplie rows in MySQL
SQL Server RowVersion
user activity database structure
What is best approach to get sql data from C#
Hierarchical Database, multiple tables or column with parent id?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!