The key aspect of preventing injection vulnerabilities is validation. The user-provided input should never be trusted and should always be validated and rejected or sanitized if it contains invalid or dangerous characters such as the following:
- Quotes (
'
and"
) - Parentheses and brackets
- Reserved special characters (
'!'
,'%'
,'&'
, and';'
) - Comments combinations (
'--'
,'/*'
,'*/'
,'#'
, and'(:', ':)'
) - Other characters specific to language and implementation
The recommended approach for validation is the whitelist. This means having a list of allowed characters for each input field or group of fields and comparing the submitted strings to that list. All characters in the submitted string must be in the allowed list for it to be validated.
For SQL injection prevention, parameterized or prepared statements should be used instead of concatenating inputs to query strings. The implementation of prepared statements varies from one language to another...