Menu
I have gone through a lot of articles out there to find out a simple list of characters that can restrict a user from inputting for protecting my site against XSS and SQL Injections, but couldn't find any generic list as such.
Can someone help me out by simply giving me a list of safe or unsafe characters in this regard? I know this can be field specific but I need this for text field where I want to allow maximum possible characters.
239
You should always use parameterized statements where available, they are your number one protection against SQL injection. You can see more examples of parameterized statements in various languages in the code samples below.
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
The "black-list" approach is fraught with problems. For both SQLi and XSS, input validation against a white-list is essential i.e. define what you do expect rather than what you don't expect. Remember also that user input - or "untrusted data" - comes from many places: forms, query strings, headers, ID3 and exif tags etc.
For SQLi, make sure you're always using parametrised SQL statements, usually in the form of stored procedure parameters or any decent ORM. Also apply the "principal of least privilege" and limit the damage the account connecting to your database can do. More on SQLi here: http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html
On the XSS front, always encode your output and make sure you're encoding it for the appropriate markup language it appears in. Output encoding for JavaScript is different to HTML which is different to CSS. Remember to encode not just responses which immediately reflect input, but also untrusted data stored in the database which could hold a persistent XSS threat. More on all this here: http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html
I know this goes a bit beyond your original question, but the point I'm trying to make is that allowable characters is but one small part of the picture. The other practices mentioned above are arguably more important (but you should still use those white-lists as well).
192
Character filtering is not how you should go about security. To prevent SQL injection, use prepared statements. To prevent XSS you should escape all user input properly
20
Look at the implementation of xss filtering of Drupal CMS. The function has white list containing allowed HTML tags, all other stuff will be escaped.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
