[thelist] Server validation -- which chars to reject?
Kevin
p+evolt at redbrick.dcu.ie
Sun Nov 10 08:07:01 CST 2002
On Sat, Nov 09, 2002 at 11:23:35PM -0600, Ken Kogler wrote:
> > sure, it can be used in an injection attack, but *not*
> > if you're performing a replace from "'" to "''", which
> > you should be doing anyway if the application server
> > doesn't already do it for you.
> But I still don't get this: There's no way to allow someone to have a
> password of "aje$jaf7#hd&!", correct?
There is.
You just need to escape the 'awkward' characters.
> If I were to sign up for a new account on evolt, would it yell at me if
> I tried to use that password? If not, is it converting those characters
> to their numeric entities, or what?
It escapes them so they're treated as a string and not a special char anymore
most likely.
Depending on your OS,Programming Language & Database there's usually prebuilt
functions for this kind of thing. (:
If it's ASP, this might be useful:
http://heap.nologin.net/aspsec.html
or this for others:
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2
> Just can't seem to wrap my brain around this one at 11:20pm...
Thankfully it's 2pm here. (:
- Kevin
More information about the thelist
mailing list