WebApp Sec mailing list archives
RE: How to handle "special characters"
From: "Brown, James F." <James.F.Brown () FMR com>
Date: Thu, 11 Dec 2003 11:29:16 -0500
For a list of dangerous metacharacters, check out OWASP's guide at http://www.owasp.org/documentation/guide/1.1/page.ptl?book=guide.1-1&chapter =N400A82#owasp-id,N400A88 After the guide shows the list, they discuss SQL Injection and several other attacks. ================================ James F. Brown Fidelity Investments james.f.brown () fmr com http://www.fidelity.com -----Original Message----- From: Tony Langley [mailto:tonyl () s2s ltd uk] Sent: Wednesday, December 10, 2003 11:56 AM To: 'Sekurity Wizard' Cc: webappsec () securityfocus com Subject: RE: How to handle "special characters" I hope you get a good clear set of answers, or at least some links for further reference. It would be extremely useful to have a definitive single point of reference for this. Please let us know of anything useful which isn't copied to the mailing list? It would certainly be useful to know: 1) Which chars are always safe (if there are any). 2) Which chars are always dangerous. 3) Those which are sometimes one or the other. Thanks... Tony Langley. Systems Architect S2S Limited ----------------------- Tel: +44 8703 504 525 Fax: +44 8703 504 526 ----------------------- http://www.s2s.ltd.uk -----Original Message----- From: Sekurity Wizard [mailto:s.wizard () boundariez com] Sent: 10 December 2003 13:34 To: webappsec () securityfocus com Subject: How to handle "special characters" Greetings, I had a developer pose an interesting question today, and I wasn't 100% sure what the answer was - so I figured I'd turn to the community for advice. There are certain characters which pose threats at different levels of the application tier model. Some at the client, some at the web server, and others in the database. Characters such as the &, |, ', ", and - can be associated with database hacks, for the most part. If a requirement is there to absolutely keep these characters in, for example, interface with a back-end legacy database, whats the best way to handle their existance? As a developer, what are the necessary and proper steps to take to avoid SQL Injection, command execution or other attacks? Just looking for some good best-practices.. s.Wizard
Current thread:
- How to handle "special characters" Sekurity Wizard (Dec 10)
- Re: How to handle "special characters" Clint Bodungen (Dec 10)
- RE: How to handle "special characters" Tony Langley (Dec 10)
- RE: How to handle "special characters" sparkes (Dec 11)
- RE: How to handle "special characters" riptide (Dec 11)
- RE: How to handle "special characters" sparkes (Dec 11)
- <Possible follow-ups>
- RE: How to handle "special characters" Brown, James F. (Dec 11)
- RE: How to handle "special characters" appsec (Dec 11)
- RE: How to handle "special characters" Sachin Hamirwasia (Dec 14)
- RE: How to handle "special characters" Ghita Serban (Dec 15)
- Re: RE: How to handle "special characters" .Saphyr (Dec 15)
- Re: How to handle "special characters" Tobias Mathes (Dec 15)
- RE: How to handle "special characters" Sachin Hamirwasia (Dec 14)
- RE: How to handle "special characters" Keifer, Trey (Dec 11)
- RE: How to handle "special characters" Ghita Serban (Dec 12)
- RE: How to handle "special characters" Tom Stowell (Dec 13)
- Re: How to handle "special characters" T.J. (Dec 13)
- Re: How to handle "special characters" Devdas Bhagat (Dec 21)
- Re: How to handle "special characters" T.J. (Dec 13)