Pacific Blue Software Logo

Input Sanitization for Delphi Applications

Sanitize and Validate User Input in Delphi

A utility class for sanitizing and validating user input in Delphi applications. Helps protect against common security vulnerabilities including HTML injection, XSS attacks, and SQL injection. Provides configurable options for different sanitization levels.


Key Features


Complete Source Code


unit PBS.LIB.Sanitize;

interface

uses
  System.SysUtils, System.RegularExpressions, System.Classes;

{ Sanitizer class to handle input validation and sanitization }

type
  TSanitizerOptions = set of (soStripHTML,
                              soPreventSQLInjection,
                              soRemoveExtraWhitespace);

  TSanitizer = class
  public
    class function Sanitize_Input
                   (const AInput   : string;
                    const AOptions : TSanitizerOptions =
                                     [soStripHTML,
                                      soPreventSQLInjection,
                                      soRemoveExtraWhitespace])
          : string; static;

    class function Strip_HTML_Tags (const AInput : string)
          : string; static;

    class function Prevent_SQL_Injection (const AInput: string)
          : string; static;

    class function Prepare_For_SQL (const AInput : string)
          : string; static;

    class function Remove_Extra_Whitespace (const AInput : string)
          : string; static;
  end;

implementation

{ TSanitizer }

class function TSanitizer.Sanitize_Input
      (const AInput   : string;
       const AOptions : TSanitizerOptions) : string;
begin
  Result := AInput;

  if soStripHTML in AOptions
  then Result := Strip_HTML_Tags (Result);

  if soPreventSQLInjection in AOptions
  then Result := Prevent_SQL_Injection (Result);

  if soRemoveExtraWhitespace in AOptions
  then Result := Remove_Extra_Whitespace (Result);
end;

class function TSanitizer.Strip_HTML_Tags
      (const AInput : string) : string;
begin
  { Remove all HTML tags }
  Result := TRegEx.Replace (AInput, '<[^>]+>', '');

  { Convert HTML entities to their character equivalents }
  Result := StringReplace (Result, '&lt;', '<', [rfReplaceAll, rfIgnoreCase]);
  Result := StringReplace (Result, '&gt;', '>', [rfReplaceAll, rfIgnoreCase]);
  Result := StringReplace (Result, '&amp;', '&', [rfReplaceAll, rfIgnoreCase]);
  Result := StringReplace (Result, '&quot;', '"', [rfReplaceAll, rfIgnoreCase]);
  Result := StringReplace (Result, '&#39;', '''', [rfReplaceAll, rfIgnoreCase]);
  Result := StringReplace (Result, '&nbsp;', ' ', [rfReplaceAll, rfIgnoreCase]);
end;

class function TSanitizer.Prevent_SQL_Injection
      (const AInput : string) : string;
begin
  { Basic SQL injection prevention by escaping single quotes }
  Result := StringReplace (AInput, '''', '''''', [rfReplaceAll]);

  { Remove other potential SQL injection characters/patterns }
  // Note: This is not a complete solution - always use parameterized queries!
  Result := StringReplace (Result, ';', '', [rfReplaceAll]);
  Result := StringReplace (Result, '--', '', [rfReplaceAll]);
  Result := StringReplace (Result, '/*', '', [rfReplaceAll]);
  Result := StringReplace (Result, '*/', '', [rfReplaceAll]);
  Result := StringReplace (Result, 'xp_', '', [rfReplaceAll]);
  Result := StringReplace (Result, 'EXEC ', '', [rfReplaceAll, rfIgnoreCase]);
  Result := StringReplace (Result, 'EXECUTE ', '', [rfReplaceAll, rfIgnoreCase]);
end;

class function TSanitizer.Prepare_For_SQL
      (const AInput : string) : string;
begin
  { For demonstration purposes. In practice, always use parameterized queries!}
  Result := StringReplace (AInput, '''', '''''', [rfReplaceAll]);
end;

class function TSanitizer.Remove_Extra_Whitespace
      (const AInput : string) : string;
begin
  // Convert multiple whitespace characters to a single space
  Result := TRegEx.Replace (AInput, '\s+', ' ');
  Result := Trim(Result);
end;

end.
  

Method Reference

Sanitize_Input

Main sanitization method that applies multiple sanitization options in sequence. By default, applies all three sanitization methods (HTML stripping, SQL injection prevention, whitespace removal). You can customize which sanitizations to apply using the TSanitizerOptions set.

Strip_HTML_Tags

Removes all HTML tags using regular expressions and converts common HTML entities (such as &lt;, &gt;, &amp;, &quot;, &#39;, &nbsp;) to their character equivalents. Helps prevent XSS attacks by removing potentially malicious HTML.

Prevent_SQL_Injection

Escapes single quotes and removes common SQL injection patterns including semicolons, SQL comments (--), multi-line comments (/* */), extended stored procedures (xp_), and EXEC/EXECUTE commands. Note: This is a basic defense layer - always use parameterized queries as your primary protection against SQL injection.

Prepare_For_SQL

Simple single-quote escaping for SQL strings. This is a lightweight alternative to Prevent_SQL_Injection when you only need to escape quotes. As with all string-based SQL protection, parameterized queries are still the recommended approach.

Remove_Extra_Whitespace

Normalizes whitespace by converting multiple consecutive whitespace characters (spaces, tabs, newlines) into a single space, then trims leading and trailing whitespace. Useful for cleaning up user input and preventing whitespace-based exploits.


Security Best Practices

SQL Injection Protection

While this sanitizer provides basic SQL injection prevention, always use parameterized queries (prepared statements) as your primary defense. String-based sanitization should be treated as an additional layer of defense, not a replacement for proper database access patterns.

HTML/XSS Protection

The HTML stripping removes tags and converts entities, but for web applications displaying user content, consider additional measures such as Content Security Policy (CSP) headers and context-aware output encoding.

Input Validation

Sanitization should complement validation, not replace it. Always validate that input meets your expected format (length, character set, pattern) before sanitizing and using it.


Requirements


PBS Delphi Input Sanitizer


Back to Articles for Developers
Back to Articles on Delphi
Convert Web colour to Delphi (Windows)
PBS Delphi Logger - Thread-safe logging with multiple outputs

If you found this useful, then please consider making a donation.

paypal
QR Code for donation Please donate if helpful