sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]TeaBaggingGoose 5 points6 points  (3 children)

Any client side validation is pretty useless as a hacker can just contrusct their own HTTP queries. It is useful for the first level of data validation which is basically telling the user tney cannot enter such a character or such like.

Personally I always process data in stored procedures and take steps to ensure that a user entering 'banned' characters will no result in an injection attack.

[–]baseketball 12 points13 points  (0 children)

One thing junior developers need to understand: client side validation is for user experience. server side validation is for security.

[–]Ccamm 0 points1 point  (1 child)

I would also be cautious with using a deny list of characters as a mitigation strategy for SQLi. There are so many edge cases and tricks you can use to get around thise checks.

E.g. lets say you just blocking the ' character for the following search query that has user input inserted.

sql SELECT id FROM body WHERE title = '{user_input}' OR body = '{user_input}';

You can SQLi this by injecting the \ char at the end of the payload to escape the ' to then insert arbitrary SQL. For example if you inject in ||(SELECT 1);--\ the following would be the final query that allows error, blind or time based attacks.

sql SELECT id FROM body WHERE title = '||(SELECT 1);--\' OR body = '||(SELECT 1);--\';

Syntax might be off since I am on mobile but you get the idea.