I have an edit control in which user should enter a company name. Edit control is locale aware.
I wish to properly protect it from SQL injection
attacks and from user entering nonsense characters.
I was thinking of discarding colon, and semicolon in my subclassing procedure in response to WM_CHAR
, and to perform the validation again in response to EN_CHANGE
. If problem occurs I would inform the user and disable "Save" button.
Since my application is locale aware, I need locale aware functions for testing the input character.
So far I have found IsCharAlpha
and IsCharAlphaNumeric
which seem locale aware ( my English is not the best so maybe I have misread the MSDN documentation, I apologize for that ).
I have also searched here for similar questions but found none.
Will discarding semicolon only do the trick, or I need to take some other characters into consideration?
Am I on the "right track" with subclassing + EN_CHANGE
or is there a better way to achieve this? If there is can you point me in the right direction?
Thank you.
Best regards.
SQL Injection attacks only occur when you create SQL statements dynamically using user input without validating/escaping the input first. Don't create SQL statements dynamically! Use parameterized queries or stored procedures, then there is no risk of SQL Injection at all.