I know that when processing user input on server and inserting it into database, we need to use prepared statements to prevent SQL injection.
I noticed something about HTML's <input type="date">
when you choose date, for example, value is not shown after Inspecting element; however, text boxes, check boxes, etc. have values shown. You can try here.
Does it mean that date input is not vulnerable to SQL injection since you cannot modify its value? Or I am on the wrong track?
分享 You are on the wrong track because you have made an incorrect assumption that the user cannot modify the value, when all you are really proving is that a non-malicious user cannot trivially modify or malform the value.
These are two very different things.
There are, in reality, no valid exceptions to using prepared statements. It's a genuine tragedy how many tutorials and examples show building SQL statements with string concatenation. This should not be done. There are scenarios where it is "theoretically" safe, but this should not be part of your thinking process.
Even if you got the data from your own database, you still cannot trust it and you do not need to be thinking about whether or not a value is subject to SQL injection, because the answer is always "yes."
The only question is how difficult the exploit would be and how many layers of indirection might be involved.
Malicious users do not usually use your application the way you intend. As noted in comments, command line tools like curl can be used to submit requests to your server that would be indistinguishable from requests sent by a browser. Everything coming in from the client is especially suspect, but even information that isn't from outside should be assumed to be potentially dangerous.
分享
