The method of hand-coding a check for each input field certainly works, but it is tedious, prone to error, and adds costs to the project. If there is time and money pressure, it probably won’t be implemented carefully or at all.
That is why it is much better to use a framework or technology where this is automatically supplied.
I’m not disagreeing with you, but hand-coding is NOT tedious, prone to error, and adds costs to the project.
It is very simple to write a (reusable) sub-routine or function that does this on the fly.
oh, I was referring to every returned post after the form has been submitted. Granted, coders should not allow certain values (chr’s) to be entered in a txt field, but this is not where SQL Injection comes from. Typically an injected field can be passed in the url string.
However; it is not to difficult to create a dummy site and send data to the real site. Of course this is easy to check if the data is coming from the host or not. Still this can be worked around using the header string.
Which brings me back to my first point and that is to check, validate and truncate every string that is returned to the host, no matter where from.
The coder should verify everything is legit before the submit button is pressed, but only the ignorant would assume it will always arrive ‘as sent’
This is probably more info than you wanted.