Hey, I have a silverlight application that allows the user to modify their username, password, bio etc. This information is stored in a MySQL database and retrieved used a WCF webservice.
I need to sanitize all information received from the user before it gets into the database. At the moment I can't store apostrophes in my DB. Where is the best place to sanitize the input (silverlight or WCF methods) and how do I go about it?
BTW, I am not worried about开发者_高级运维 SQL injection as I will be implementing parametrized queries in a few days.
Thanks
The correct answer here is somewhat of a matter of architectural preference. This type of user input validation is a system rule. Many would say that all rule implementation should be done on the service side. From a strict separation of concerns point of view all rules should be enforced in the business logic on the service side of the system.
But, when this kind of validation is handled on the client more immediate feedback can be given to the user resulting in a more usable interface. With the added benefit of not producing any network traffic merely for the purpose of telling the user that he pressed the wrong key.
In the end neither approach is wrong. The 'best' approach can really only be determined by what you want for your system. Architectural purity vs. user responsiveness.
You are right to use parameterized queries. Alternatively, you could use an ORM and also get the SQL injection protection.
精彩评论