[thelist] Server validation -- which chars to reject?

[Ken Kogler]

> sure, it can be used in an injection attack, but *not*
> if you're performing a replace from "'" to "''", which
> you should be doing anyway if the application server
> doesn't already do it for you.

But I still don't get this: There's no way to allow someone to have a
password of "aje$jaf7#hd&!", correct?

If I were to sign up for a new account on evolt, would it yell at me if
I tried to use that password? If not, is it converting those characters
to their numeric entities, or what?

Just can't seem to wrap my brain around this one at 11:20pm...

--Ken