0

Is unwanted characters removal enough to prevent most attacks (Python) ? Obviously the code should have more sophisticated rules (ex.remove more than one consecutive white spaces after a new line), but my understanding is that only characters used in programming can enable code injection and I want to make sure I am not missing cases where code injection can happen even with no such characters .

# initializing bad_chars_list
bad_chars = [';', ':', '!', "*","("]
 
# initializing test string
test_string = "Examp;l * int s=10;"
 
# printing original string
print ("Original String : " + test_string)
 
# using replace() to
# remove bad_chars
for i in bad_chars :
    test_string = test_string.replace(i, '')
Looper
  • 1
  • 2
  • There is no code injection in this program to begin with. The way to prevent code injection is to simply not create a code injection bug. – user253751 Apr 26 '22 at 08:54
  • 1
    Where do you think an injection vulnerability would occur in your code? In SQL statements? There are ways to prevent that, such as using parameterized queries or an ORM. Plus the "bad_chars" you're quoting may be legitimate user input depending on the context. Oddly your blacklist does not include the single quote which is more likely to cause problems in raw SQL queries that lack proper escaping. To validate certain fields in a form for example, it is common to use regular expressions, then you reject input that does not match the pattern vs a blind replacement. – Kate Apr 26 '22 at 20:13

0 Answers0