Apostrophes not allowed in input

[jdeisenberg]

This doesn't let people with names like O'Hara register. Does the flask backend use parameterized SQL? If so, then we should be able to allow virtually any characters, as parameterized SQL avoids the "little Bobby tables" problem.

[vwbusguy]

This should be allowed. We're sqlalchemy for the sql handling. I'll do some testing on this soon. Thanks!

[vwbusguy]

According to the SQL Alchemy docs here - https://www.safaribooksonline.com/library/view/essential-sqlalchemy/9780596516147/ch01.html in the section on "SQL Injection Attacks", we should be ok the way we're currently implementing this.

The Javascript validation serves two purposes: A preliminary defense on SQL injection and valid field data (ie, valid email address format, digits in phone number, etc.). The latter goal is getting stepped on by the former.

What we really need to do is some testing on this to see if we can get rid of the SQL injection on js side in general and handle it on the server side and just worry about valid form data. Either way, someone who could manage to get to the dev console and write bogus data in a post could get past the front end validation. The likelihood of that happening at a conference kiosk is close to unthinkable, but still something we should test.

[jdeisenberg]

The quickest way to test is to build a duplicate version and try entering a first name of '); DROP TABLE person; and see what happens. I tried doing this, but couldn't find where the database had been created. I tried this, and it appears to enter a new person whose first name is '); DROP TABLE person;

You want to make sure that less than, greater than, and ampersand are properly encoded as entities so that people can't enter a script tag into their information.

[vwbusguy]

By default, it should store the data in the 'person.db' if you're using sqlite.