Cybersecurity

5984 readers

31 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago

MODERATORS

kid

[email protected]

Should you allow username to use Apostrophe (aka quotes ) (programming.dev)

submitted 11 months ago by [email protected] to c/cybersecurity

9 comments fedilink hide all child comments

cross-posted from: https://programming.dev/post/10497245

Hi,

For websites I've always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.

It's easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.

On the topic I've this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense

But if you have better documentation feel free to share :)

Thanks

you are viewing a single comment's thread
view the rest of the comments

[–] merc 0 points 10 months ago (1 children)

Ok, but that wasn't the question. The question was "Should you allow username to use Apostrophe (aka quotes )".

There's no mention of what the role of the backend is, just the question of what that policy choice should be. By looking at it only through the lens of the backend, you're going to cause headaches.

[–] sugar_in_your_tea 2 points 10 months ago

We're in a community focused on cyber security, and the question linked this stack exchange thread, which is explicitly about SQL injection. From that article:

To block single quotes in all input is madness. This breaks functionality of the application and isn't even the correct solution against SQL injection.

The context is SQL injection, which typically is a backend thing. That's why I talked about BE vs FE. You could instead say "DB layer" vs "presentation layer" if you prefer.

But my point is that removing single quotes in the context of cyber security completely misses the point. Only remove single quotes (or any other character) if it makes sense for your application use case, not for some vague sense of "security." If allowing single quotes causes a security vulnerability, your code is wrong even if you disallow single quotes.