23 Jul
2021
23 Jul
'21
7:32 p.m.
On 23.07.21 16:45, Phil Endecott via Boost wrote:
What I'm trying to do is to sanitise the input to an internet- exposed process, to reject malicious input'); drop table users; As an example I'll look at input that is supposed to be base-64 encoded and no more than a couple of kilobytes long. I'm going off on a tangent here, but I hope you're not actually trying to prevent SQL injection attacks by validating inputs with regular expressions. That would be a brittle and unnecessarily complex approach which would almost certainly either reject valid input or fail to reject all attacks or both. The only correct way to prevent SQL injection attacks is to always use parametrized statements.
-- Rainer Deyke (rainerd@eldwood.com)