Properly protect edit control from SQL injection and nonsense characters

Question

INTRODUCTION AND RELEVANT INFORMATION:

I have an edit control in which user should enter a company name. Edit control is locale aware.

PROBLEM:

I wish to properly protect it from SQL injection attacks and from user entering nonsense characters.

MY EFFORTS TO SOLVE THE PROBLEM:

I was thinking of discarding colon, and semicolon in my subclassing procedure in response to WM_CHAR, and to perform the validation again in response to EN_CHANGE. If problem occurs I would inform the user and disable "Save" button.

Since my application is locale aware, I need locale aware functions for testing the input character.

So far I have found IsCharAlpha and IsCharAlphaNumeric which seem locale aware ( my English is not the best so maybe I have misread the MSDN documentation, I apologize for that ).

I have also searched here for similar questions but found none.

QUESTION:

Will discarding semicolon only do the trick, or I need to take some other characters into consideration?

Am I on the "right track" with subclassing + EN_CHANGE or is there a better way to achieve this? If there is can you point me in the right direction?

Thank you.

Best regards.

Answer 1

SQL Injection attacks only occur when you create SQL statements dynamically using user input without validating/escaping the input first. Don't create SQL statements dynamically! Use parameterized queries or stored procedures, then there is no risk of SQL Injection at all.