- Home /
How to prevent sql injection on the Unity Side
I want to do some sanitation on input from the user before it gets sent to php for database insertion. In my particular application it doesn't matter that much since only select people can put info into the database, but I do want to prevent problems like someone entering Andy's or Rick! I've tried trimming the string, I've tried replacing the string, so far nothing has worked. Anyone have a solution?
char[] charsToTrim = {"'", '"', '/', '\\', '!', "@", '#', '%', "()", ":"};
Error: Cannot implicitly convert type string' to
char' I tried changing the type to string which gives the same error.
Thanks in advance!
Answer by Bunny83 · Jun 26, 2019 at 11:29 PM
It's completely pointless to do any sort of sql injection protection client side. PHP has proper escape functions. Just make sure the escaped values are always enclosed in quotes or even better use prepared statements.
Any clientside sanity checks should not alter the data. Clientside check should just check for potential issues, inform the user about the error and not executing the request at all. Automatic input alteration can lead to a lot issues in the future. For example if someone enters a username / string / password / whatever with a certain character and you strip it ot replace it he might not know what actual value got stored. If in the future your logic changes It will just break. So clientside sanity checks are never a security measure but only to inform the user about a mistake. Any actual security measures has to be implemented serverside.
Your answer
Follow this Question
Related Questions
Multiple Cars not working 1 Answer
Value will not return from ArrayList, C# 1 Answer
String Parsing 1 Answer
Iterating through multidimensional arrays 2 Answers
Get JSON array object string value 2 Answers