Fox Mulder, from the TV show X-Files, had trustno1 as his password. It seems overly paranoid, but is good advice to people designing applications. When writing software you should always assume hostile intent from users and treat entered data with caution. Trusting input can lead to exploits such as SQL injection.

SQL injection (SQLi) is a form of attack that enables hackers to force the application to run their own queries against the application’s database. This can give them access to sensitive information or even delete data. In 2007, the same SQL-injection campaign that hit 7-Eleven also compromised Heartland Payment Systems, exposing data from over 130 million credit and debit cards.

Modern frameworks like Ruby on Rails, SQL Alchemy, and Hibernate have protections against these attacks. However, caution is an admirable quality when making software secure and engineers will often sanitize data input.

Sanitizing data input is the removal of special characters that can be used as part of SQLi. The semicolon (;) and apostrophe ( ’) are key parts of creating input that trigger an SQLi attack. Blocking input of these characters seems like a good idea. It is simple to implement and further strengthens your system against attack. This is, however, a naive fix.

In a previous role, after a penetration test found an SQL injection vulnerability, we prevented users from entering special characters, including the apostrophe, This was not a wise move, as calls to support from a Mr O’Shaughnessy demonstrate. The apostrophe can be part of an SQLi attack, but it is also used in many surnames of Irish descent.

Recently, I was pasting text into a web form. This text was for a cover letter. Leaving aside the fact that attaching a PDF makes more sense than pasting plain text, this was another example of poorly executed data sanitization. My input was rejected; for it included a semicolon. Yes, a semicolon can be part of an SQLi, but it is also part of English punctuation.

The right approach isn’t to ban characters—it’s to use parameterized queries (prepared statements) and proper input validation. Modern frameworks already do most of this for you. Sanitize only when truly necessary, and always test with real user data (including Irish surnames and perfectly normal punctuation). What’s the worst data sanitization story you’ve seen? Drop it in the comments. #SQLInjection #DataSanitization #CyberSecurity #SoftwareEngineering #WebDevelopment