How to Avoid SQL Injections, XSS Attacks, and File Upload Attacks in Web Apps

JasonCannon4y ago· 2 in thread

Honestly, I wouldn't even suggest people try and escape their inputs. Just use parameters. They will be far more secure than attempting to escape and sanitize inputs.

_ndianabasiOP4y ago

I agree as well. I suggested using parameters/bindings. Hope you saw that in the article. Thank you for your comment.

JasonCannon4y ago

I did see that, I was saying skip the first suggestion of sanitizing input, and just use the second suggestion. The first suggestion is just asking for trouble.

1 more reply

gungsukma24y ago· 1 in thread

> So the company value will be stored like this: ' or '=' instead of this " or ""="

No, if they enter '"', store it as '"' in your database (maybe by using '\"' in the query), serve it as ''' in html ('"', actually).

marcos1004y ago

Yes, you should persist the raw user input. Why would my non-html gui app show some escaped html?

_ndianabasiOP4y ago

This long-form article, I discussed in details how to prevent SQL injections, Cross-site scripting, and file upload attacks in web applications. I brought together my 10+ years experience with Linux server administration and 4+ years experience with full-stack software development to draft one of the most detailed post on the subject matter on the internet. I'm looking forward to your feedback.

How to Avoid SQL Injections, XSS Attacks, and File Upload Attacks in Web Apps (opens in new tab)

How to Avoid SQL Injections, XSS Attacks, and File Upload Attacks in Web Apps (opens in new tab)

9 comments

9 comments