SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast
    Join Date
    Nov 2004
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Db security for link submission site

    What's the best way to minimize potential risks like sql injection attacks, when site visitors add a link that goes directly into the database?

    I can't just block all the characters since too many websites have all sorts of characters in their links. Do I just delete some that never seem to be used like quotes, etc.

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Actually, URLs can only contain 73 different characters:

    - Uppercase letters (26)
    - Lowercase letters (26)
    - Numbers (10)
    - These special characters: $-_.+!*'(), (11)

    So stripping out anything else will go a long way to helping avoid cross-site scripting attacks. SQL injection attacks are mitigated by properly escaping strings before putting them into a SQL query -- most languages will provide a wrapper for MySQL's internal string escaping function, or use prepared statements which take care of it automatically.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •