security sql based attack prevention

[starlightretailceo]

Sanitizing untrusted input is a common technique for preventing injection attacks such as SQL injection or cross-site scripting. Usually, this is done by escaping meta-characters such as quotes in a domain-specific way so that they are treated as normal characters.

However, directly using the string replace method to perform escaping is notoriously error-prone. Common mistakes include only replacing the first occurrence of a meta-character, or backslash-escaping various meta-characters but not the backslash itself.

In the former case, later meta-characters are left undisturbed and can be used to subvert the sanitization. In the latter case, preceding a meta-character with a backslash leads to the backslash being escaped, but the meta-character appearing un-escaped, which again makes the sanitization ineffective.

Even if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output.

Description

Contribution Checklist

yesI have built and tested the code locally and in a deployed app

• yes For frontend changes, I have pulled the latest code from main, built the frontend, and committed all static files.
• yes This is a change for all users of this app. No code or asset is specific to my use case or my organization.
• yes I didn't break any existing functionality :smile: @microsoft-github-policy-service agree [company=starlight retail inc]

[starlightretailceo]

@microsoft-github-policy-service agree [company="STARLIGHT RETAIL INC"]