Re: How to handle "special characters"

["Clint Bodungen" <clint () secureconsulting com>]

Under the Bugtraq forum... there is a thread (this month) called
'Interesting Case of SQL Injection'.  In that threat, they talk about
solutions to that very subject.


----- Original Message ----- 
From: "Sekurity Wizard" <s.wizard () boundariez com>
To: <webappsec () securityfocus com>
Sent: Wednesday, December 10, 2003 7:33 AM
Subject: How to handle "special characters"


Greetings,
  I had a developer pose an interesting question today, and I wasn't 100%
sure what the answer was - so I figured I'd turn to the community for
advice.

  There are certain characters which pose threats at different levels of the
application tier model.  Some at the client, some at the web server, and
others in the database.  Characters such as the &, |, ', ", and - can be
associated with database hacks, for the most part.  If a requirement is
there to absolutely keep these characters in, for example, interface with a
back-end legacy database, whats the best way to handle their existance?  As
a developer, what are the necessary and proper steps to take to avoid SQL
Injection, command execution or other attacks?

Just looking for some good best-practices..
  s.Wizard