Why are they so dangerous? Couldn't you write a simple client side java string that would just return an error if certain characters were entered? How could you bypass code like this?
>>58049059
>Why are they so dangerous?
Because they expose your database.
>Couldn't you write a simple client side java string that would just return an error if certain characters were entered?
1) You still need server side sanitation, because people can write their own malicious clients
2) Banning characters is a bad idea, do you really want to prevent certain characters used in stuff like password? Imagine if 4chan banned the character ', then how would I write isn't, don't etc?
>How could you bypass code like this?
Write my own client to send a string to the server.
The proper approach here is to use prepared statements in addition to whatever sanitation method you use.
>>58049105
Write your own client? Do you mean something that would bypass the java thats checking the string?
>>58049059
> client side
you can't trust the client
It's not about the client, it's about the server...
>>58049144
>Write your own client? Do you mean something that would bypass the java thats checking the string?
Yes.
Basically what >>58049277 says, you can't trust the client.
>>58049144
Kinda, OP has written "a simple client side java [...]", so what does happen if I write my own client?
Thanks Anons
>>58049059
>client-side sanitation
kek