Question posted in 
I need to safely prepare a string that uses user input. I’m using a flutter package called sql_conn to communicate with a SQL database. This is a temporary solution until we build a web server to take in all calls.
This is an example of how a SQL request is sent:
var connectionAllowedResult = await SqlConn.readData("declare @Allowed bit declare @Status nvarchar(4000) exec spHandheldConnectionAllowed '$username', '$ipAddress', '$dbName', @Allowed output, @Status output");
How do I safely prepare this so that a user can’t maliciously insert their own SQL statement?
2
Answers
Well it’s not a good idea to write SQL-related functions directly in the frontend application, I prefer to use a separate backend service like Django or Flask to handle backend queries and then use HTTP API calls in flutter.
The package validation_chain on pub.dev might help you out. There are great examples of using custom functions to provide validation.
Doing input validation when the user inputs the field and before the sql statement would be a start.
Another suggestion is to use types that disallow improper input. Instead of storing ip address as a string, store it as a list of 4 int’s, etc.