RE: How to handle "special characters"

["Tony Langley" <tonyl () s2s ltd uk>]

I hope you get a good clear set of answers, or at least some links for
further reference. It would be extremely useful to have a definitive
single point of reference for this.

Please let us know of anything useful which isn't copied to the mailing
list?

It would certainly be useful to know:

1) Which chars are always safe (if there are any).
2) Which chars are always dangerous.
3) Those which are sometimes one or the other.

Thanks...

Tony Langley.

Systems Architect
S2S Limited
-----------------------
 Tel: +44 8703 504 525
 Fax: +44 8703 504 526
-----------------------
http://www.s2s.ltd.uk

-----Original Message-----
From: Sekurity Wizard [mailto:s.wizard () boundariez com] 
Sent: 10 December 2003 13:34
To: webappsec () securityfocus com
Subject: How to handle "special characters"


Greetings,
  I had a developer pose an interesting question today, and I wasn't
100% sure what the answer was - so I figured I'd turn to the community
for advice.

  There are certain characters which pose threats at different levels of
the application tier model.  Some at the client, some at the web server,
and others in the database.  Characters such as the &, |, ', ", and -
can be associated with database hacks, for the most part.  If a
requirement is there to absolutely keep these characters in, for
example, interface with a back-end legacy database, whats the best way
to handle their existance?  As a developer, what are the necessary and
proper steps to take to avoid SQL Injection, command execution or other
attacks?

Just looking for some good best-practices..
  s.Wizard