[thelist] Server validation -- which chars to reject?

[Kevin]

On Sat, Nov 09, 2002 at 11:23:35PM -0600, Ken Kogler wrote:
> > sure, it can be used in an injection attack, but *not*
> > if you're performing a replace from "'" to "''", which
> > you should be doing anyway if the application server
> > doesn't already do it for you.

> But I still don't get this: There's no way to allow someone to have a
> password of "aje$jaf7#hd&!", correct?

There is.
You just need to escape the 'awkward' characters.

> If I were to sign up for a new account on evolt, would it yell at me if
> I tried to use that password? If not, is it converting those characters
> to their numeric entities, or what?

It escapes them so they're treated as a string and not a special char anymore
most likely.

Depending on your OS,Programming Language & Database there's usually prebuilt
functions for this kind of thing. (:

If it's ASP, this might be useful:
http://heap.nologin.net/aspsec.html
or this for others:
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2

> Just can't seem to wrap my brain around this one at 11:20pm...

Thankfully it's 2pm here. (:

- Kevin