A utility class for sanitizing and validating user input in Delphi applications. Helps protect against common security vulnerabilities including HTML injection, XSS attacks, and SQL injection. Provides configurable options for different sanitization levels.
unit PBS.LIB.Sanitize;
interface
uses
System.SysUtils, System.RegularExpressions, System.Classes;
{ Sanitizer class to handle input validation and sanitization }
type
TSanitizerOptions = set of (soStripHTML,
soPreventSQLInjection,
soRemoveExtraWhitespace);
TSanitizer = class
public
class function Sanitize_Input
(const AInput : string;
const AOptions : TSanitizerOptions =
[soStripHTML,
soPreventSQLInjection,
soRemoveExtraWhitespace])
: string; static;
class function Strip_HTML_Tags (const AInput : string)
: string; static;
class function Prevent_SQL_Injection (const AInput: string)
: string; static;
class function Prepare_For_SQL (const AInput : string)
: string; static;
class function Remove_Extra_Whitespace (const AInput : string)
: string; static;
end;
implementation
{ TSanitizer }
class function TSanitizer.Sanitize_Input
(const AInput : string;
const AOptions : TSanitizerOptions) : string;
begin
Result := AInput;
if soStripHTML in AOptions
then Result := Strip_HTML_Tags (Result);
if soPreventSQLInjection in AOptions
then Result := Prevent_SQL_Injection (Result);
if soRemoveExtraWhitespace in AOptions
then Result := Remove_Extra_Whitespace (Result);
end;
class function TSanitizer.Strip_HTML_Tags
(const AInput : string) : string;
begin
{ Remove all HTML tags }
Result := TRegEx.Replace (AInput, '<[^>]+>', '');
{ Convert HTML entities to their character equivalents }
Result := StringReplace (Result, '<', '<', [rfReplaceAll, rfIgnoreCase]);
Result := StringReplace (Result, '>', '>', [rfReplaceAll, rfIgnoreCase]);
Result := StringReplace (Result, '&', '&', [rfReplaceAll, rfIgnoreCase]);
Result := StringReplace (Result, '"', '"', [rfReplaceAll, rfIgnoreCase]);
Result := StringReplace (Result, ''', '''', [rfReplaceAll, rfIgnoreCase]);
Result := StringReplace (Result, ' ', ' ', [rfReplaceAll, rfIgnoreCase]);
end;
class function TSanitizer.Prevent_SQL_Injection
(const AInput : string) : string;
begin
{ Basic SQL injection prevention by escaping single quotes }
Result := StringReplace (AInput, '''', '''''', [rfReplaceAll]);
{ Remove other potential SQL injection characters/patterns }
// Note: This is not a complete solution - always use parameterized queries!
Result := StringReplace (Result, ';', '', [rfReplaceAll]);
Result := StringReplace (Result, '--', '', [rfReplaceAll]);
Result := StringReplace (Result, '/*', '', [rfReplaceAll]);
Result := StringReplace (Result, '*/', '', [rfReplaceAll]);
Result := StringReplace (Result, 'xp_', '', [rfReplaceAll]);
Result := StringReplace (Result, 'EXEC ', '', [rfReplaceAll, rfIgnoreCase]);
Result := StringReplace (Result, 'EXECUTE ', '', [rfReplaceAll, rfIgnoreCase]);
end;
class function TSanitizer.Prepare_For_SQL
(const AInput : string) : string;
begin
{ For demonstration purposes. In practice, always use parameterized queries!}
Result := StringReplace (AInput, '''', '''''', [rfReplaceAll]);
end;
class function TSanitizer.Remove_Extra_Whitespace
(const AInput : string) : string;
begin
// Convert multiple whitespace characters to a single space
Result := TRegEx.Replace (AInput, '\s+', ' ');
Result := Trim(Result);
end;
end.
Main sanitization method that applies multiple sanitization options in sequence. By default, applies all three sanitization methods (HTML stripping, SQL injection prevention, whitespace removal). You can customize which sanitizations to apply using the TSanitizerOptions set.
Removes all HTML tags using regular expressions and converts common HTML entities (such as <, >, &, ", ', ) to their character equivalents. Helps prevent XSS attacks by removing potentially malicious HTML.
Escapes single quotes and removes common SQL injection patterns including semicolons, SQL comments (--), multi-line comments (/* */), extended stored procedures (xp_), and EXEC/EXECUTE commands. Note: This is a basic defense layer - always use parameterized queries as your primary protection against SQL injection.
Simple single-quote escaping for SQL strings. This is a lightweight alternative to Prevent_SQL_Injection when you only need to escape quotes. As with all string-based SQL protection, parameterized queries are still the recommended approach.
Normalizes whitespace by converting multiple consecutive whitespace characters (spaces, tabs, newlines) into a single space, then trims leading and trailing whitespace. Useful for cleaning up user input and preventing whitespace-based exploits.
While this sanitizer provides basic SQL injection prevention, always use parameterized queries (prepared statements) as your primary defense. String-based sanitization should be treated as an additional layer of defense, not a replacement for proper database access patterns.
The HTML stripping removes tags and converts entities, but for web applications displaying user content, consider additional measures such as Content Security Policy (CSP) headers and context-aware output encoding.
Sanitization should complement validation, not replace it. Always validate that input meets your expected format (length, character set, pattern) before sanitizing and using it.
Please donate if helpful