Use parameters, that way data and queries are separate.
Comment on Life isn't easy if your last name is 'Null' as it still breaks database entries the world over
ZILtoid1991@lemmy.world 6 days agoAre there character escapes for SQL, to protect against stuff like that?
purplemonkeymad@programming.dev 6 days ago
Septimaeus@infosec.pub 6 days ago
Input sanitation typically handles this as a string that only includes characters supported by the data type of the table in question. While in transit, the strings might be escaped at certain stages, such as via URL encoding. Though this is considered poor practice in many applications, it’s not uncommon to see. The point, however, is to prevent the evaluation of inputs as anything other than their intended type, whether or not reserved characters are present.
sugar_in_your_tea@sh.itjust.works 5 days ago
Only noobs get hit by this (called SQL injection). That’s why we have leads review code…
solrize@lemmy.world 6 days ago
Yes but it’s a dangerous process. You should use paramatrized queries instead.
sugar_in_your_tea@sh.itjust.works 5 days ago
Yup, then it becomes a front-end problem to deal with wonky input. As a backend dev, this is ideal.