The key aspect of preventing injection vulnerabilities is validation. The user-provided input should never be trusted and should always be validated and rejected or sanitized if it contains invalid or dangerous characters such as the following:
- Quotes (' and ")
- Parentheses and brackets
- Reserved special characters ('!', '%', '&', and ';')
- Comments combinations ('--', '/*', '*/', '#', and '(:', ':)')
- Other characters specific to language and implementation
The recommended approach for validation is the whitelist. This means having a list of allowed characters for each input field or group of fields and comparing the submitted strings to that list. All characters in the submitted string must be...