While looking for best user input sanitizing practices, I found that Ktor has a `String.escapeIfNeed...

jean

08/06/2021, 7:24 AM

While looking for best user input sanitizing practices, I found that Ktor has a

String.escapeIfNeeded

method, is it enough to protect my database from injection and other possible attacks? I also found apache

commons-text

library that has

StringEscapeUtils

but it seems a bit less practical since there’s an escape method for java, one for ecmascript, etc…

jean

08/06/2021, 7:28 AM

turned out

escapeIfNeeded()

is internal anyways, do you have any suggestions for me regarding what I should use to make sure a string is safe?

spand

08/06/2021, 7:36 AM

Safe in what context?

spand

08/06/2021, 7:38 AM

But in general escaping ought to be provided by the library. ie. Exposed will prevent sql injection, kotlinx.html will prevent html injection, etc. Opt in escaping like such a method is woefully error prone

Vampire

08/06/2021, 7:38 AM

If you want to prevent SQL injection, don't build SQL statements out of strings from untrusted sources, but use prepared statements. At least that's what you do with JDBC

➕ 5

👆 3

👌 4

jean

08/06/2021, 7:50 AM

this is an example where I’m concerned about security :

Copy code

getCollection(USER, Document::class.java)
    .find(
        and(
            eq("email", email.value),
            eq("password", password.value)
        )
    )
    .toList()
    .mongoDocumentToMap()
    .firstOrNull()
    ?.toUser()

first of all it’s not even SQL but NoSQL with mongoDB. There is a

mongo-sanitize

js library for Node.js for example, but I haven’t find something specific for java/kotlin

Vampire

08/06/2021, 12:46 PM

It's quite some time ago I used MongoDB. But I think if you use such methods, they should be injection safe usually afair.

992 Views

Open in Slack

Previous Next

kotlinlang

A modern programming language that makes developers happier.