Re: Escape html tags and other dangerous input

From: Ben Lucas (ben_at_nospam.solien.nospam.com)
Date: 09/29/04

Next message: Shawn Farkas [MS]: "Re: Do all the .Net products get signed using digital signatures?"
Previous message: Stig Dommarsnes: "Context expired (SEC_E_CONTEXT_EXPIRED?)"
In reply to: Shabam: "Re: Escape html tags and other dangerous input"
Next in thread: Shawn Farkas [MS]: "Re: Escape html tags and other dangerous input"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 29 Sep 2004 09:43:09 -0700

Given your earlier code, I would block &, ', %, and "

The & affects the querystring. % can be used to have an effect on the
search results. Single quotes can end the SQL statement allowing for a SQL
injection attack. And double quotes can end the href in the anchor tag,
allowing the possibility for cross-site scripting.

-- 
Ben Lucas
Lead Developer
Solien Technology, Inc.
www.solien.com
"Shabam" <blislecp@hotmail.com> wrote in message
news:uumdnRH2-IP0-MfcRVn-pg@adelphia.com...
> "Ben Lucas" <ben@nospam.solien.nospam.com> wrote in message
> news:LLSdncYLs6CB9sTcRVn-hA@comcast.com...
> > To prevent this kind of injection attack, I would validate the user
input
> > and disallow the offending characters.  If you were not using it in a
> > hyperlink, I would suggest HTML Encoding it, as that would prevent the
> HTML
> > injection, but that doesn't help with the ampersand, and the search page
> > would need to HTML Unencode it or it would affect the search results.
If
> > you cannot disallow the offending characters, then you will need some
way
> to
> > change the ampersand on your querystring so that it is not an ampersand
> but
> > can be interpreted by the search page correctly.
>
> Besides the following characters, which others are potentially dangerous?
> Is there a complete list somewhere?
>
> ', %, #, &, !
>
>
>

Next message: Shawn Farkas [MS]: "Re: Do all the .Net products get signed using digital signatures?"
Previous message: Stig Dommarsnes: "Context expired (SEC_E_CONTEXT_EXPIRED?)"
In reply to: Shabam: "Re: Escape html tags and other dangerous input"
Next in thread: Shawn Farkas [MS]: "Re: Escape html tags and other dangerous input"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Handling single quotes " " in data
... There's no reason not to store the single quotes. ... Presumably your SQL statement is something like ... (remove the extra spaces in the parameters in the Replace statement before ... > I have been storing file locations in a table in access. ...
(microsoft.public.access.modulesdaovba)
executing an sql statement in perl
... and thetime> sysdate - 90 ... however i don't think it likes the 2 sets of single quotes. ... The below sql statement works fine directly in my sql program ...
(comp.lang.perl.misc)
Re: SQL and RPG
... the SQL statement is being called ... I don't need the semicolon token, ... ITMI in this example is 6 characters and ITP# is 18 ... If your fields are defined as character you have to put single quotes ...
(comp.sys.ibm.as400.misc)
Re: SQL string problem
... clean up your parameters before sending them to SQL. ... > You must "escape" any single quotes when sending SQL statements ... > Just pass your SQL statement through this function when opening your ... >> Here is the full SQL statement that is assigned to the strSQL ...
(microsoft.public.excel.programming)