Input Sanitation Best Practices

views:

114

answers:

+2 Q:

Input Sanitation Best Practices

Our team has recently been working on a logic and data layer for our database. We were not approved to utilize Entity or Linq to SQL for the data layer. It was primarily built by hand. A lot of the SQL is auto generated. An obvious down fall of this is the need to sanitize inputs prior to retrieval and insertion.

What are the best methods for doing this? Searching for terms like insert, delete, etc seems like a poor way to accomplish this. Is there a better alternative?

+2 A:

The best way generally to sanitation is to work like human kidneys do - reject everything by default and pick out what you know is good/safe.

I assume you already use parameters for all SQL queries with external input.

It is also usually good practice to sanitise input primarily as close to UI as possible.

mfloryan 2010-03-13 23:25:19

`It is also usually good practice to sanitise input primarily as close to UI as possible.`But be careful not to exaggerate by start doing it on the client side :-)

Vasily Korolev 2010-03-13 23:53:31

Yes. I have seen enough client-side validation only not to fall for that trap hence "close to UI" not "in the UI" ;-)

mfloryan 2010-03-14 19:30:58

ansaurus

tags:

views:

answers:

Input Sanitation Best Practices

related questions