At 5:53 PM +0100 9/27/01, johnlucas-Arluna wrote:
>There has been a bit of talk about being carefull to check and escape using
>input from web pages/sites, as the correct sequence could be used
>maliciously to drop databases, tables, alter values, change permissions etc.
>Can anyone out there provide a good summary or refer to a source that covers
>both the things to do database side (eg. HTMLEncode/URLEncode, escaping '\'
>etc.) and perhaps some useful tests that would show where a problem is not
>being handled correctly.
What language or languages are you using?
>I have done what I have found:
>1) replace '\' with '\\' and ' with \'
>2) I have also considered HTMLEncoding all entries, but this means DeCoding
>it again if you are not presenting it into a browser.
>Any help greatly appreciated on a worrying topic.
Paul DuBois, paul@stripped