Simple user input sanitization
https://stackoverflow.com/questions/11627476
-
22-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am using Server.HttpEncode(), and HttpDecode() in order to sanitize user form input, as well as having the server throw an exception when a "potentially dangerous" input is detected.
(Data is then saved to an MSSQL database)
Is this considered enough to stop SQL / Javascript injection and similar?
Solution
No it doesn't prevent it at all. It is used more so to prevent XSS attacks as explained by Microsoft here. Read this Stackoverflow question for some ideas on preventing SQL injection.
Depending on the environment you are in, I would use a technology such as the Entity Framework or NHibernate which prevents SQL injection altogether, so you do not even have to worry about it.
OTHER TIPS
Possibly, but almost certainly not.
