I've been learning programming and recently realized I need to get a handle on input sanitization. Right now, I'm using express-validator for sign-up forms and checking input types in my React app. But I'm starting to think that might not be enough. I've read that React takes care of not executing raw SQL or HTML, but I have questions:
1. If scripts or SQL queries can still reach the database, what prevents that data from being altered?
2. Am I missing anything in terms of where and how I should be validating and sanitizing input? I understand that libraries like DOMPurify are helpful for cases like .innerHTML, which I'm not using anymore. What should I focus on instead?
3 Answers
Let’s clarify some terms: validation checks if the input meets your expectations (like format and type), while sanitization cleans the data. You’re safe from SQL injections with Prisma since it handles that. The real focus should be on backend validation, and keeping raw HTML out of play helps a lot with XSS concerns!
You’re definitely on the right track, but remember that frontend sanitization only protects the user's experience, not the server. You must also validate and sanitize on the backend to prevent any direct malicious attempts to bypass your app. As for Prisma, it does handle SQL injections using parameterized queries, but don’t forget about other types of injections. Keeping your validations robust on both sides is essential!
Exactly! And I’ve also started using Zod for schema validations in my backend. It helps a lot and adds another layer of security, which is great for learning best practices.
You’re right that React itself doesn’t sanitize SQL; Prisma is your go-to for that. It's crucial to do your checks on both the frontend and backend. If you're not using 'dangerouslySetInnerHTML', you're avoiding many XSS issues. It’s also wise to implement middleware like Zod to catch any bad data before hitting the database.
Yes! I’m finding Zod really helpful too. It prevents any garbage from even getting close to your database, which is what you want! Just remember to also review your sanitization functions regularly.
Totally! I’ve found focusing on both validation and sanitization really helps. It’s about layering your defenses, so you can catch errors wherever they crop up!