List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:September 27 2001 4:59pm
Subject:Re: Escape strategy for web user form entry
View as plain text  
At 5:53 PM +0100 9/27/01, johnlucas-Arluna wrote:
>Hi Folks
>
>There has been a bit of talk about being carefull to check and escape using
>input from web pages/sites, as the correct sequence could be used
>maliciously to drop databases, tables, alter values, change permissions etc.
>etc.
>
>Can anyone out there provide a good summary or refer to a source that covers
>both the things to do database side (eg. HTMLEncode/URLEncode, escaping '\'
>etc.) and perhaps some useful tests that would show where a problem is not
>being handled correctly.

What language or languages are you using?

>I have done what I have found:
>
>1) replace '\' with '\\' and ' with \'
>
>2) I have also considered HTMLEncoding all entries, but this means DeCoding
>it again if you are not presenting it into a browser.
>
>Any help greatly appreciated on a worrying topic.
>
>Joh.


-- 
Paul DuBois, paul@stripped
Thread
Escape strategy for web user form entryjohnlucas-Arluna27 Sep
  • Re: Escape strategy for web user form entryPaul DuBois27 Sep
    • RE: Escape strategy for web user form entryjohnlucas-Arluna27 Sep
      • RE: Escape strategy for web user form entryPaul DuBois27 Sep
        • RE: Escape strategy for web user form entryPaul DuBois27 Sep
  • Re: Escape strategy for web user form entryCarl Troein27 Sep