07-12-2007, 10:40 PM
[eluser]chrisco23[/eluser]
Hello,
I have a section on one of my sites where a user can create a URL to their profile, kind of like myspace does with "myspace.com/myname".
Over time someone wanted to use a "+" and someone else wanted to use an "@", and I went ahead and added these to the uri_permitted_chars. If someone knows of a security issue with that, please let me know!
But today someone wanted to use a "'" (single-quote aka apostrophe) and it is disallowed but my validation routine didn't catch it. I'm not going to add the single-quote because that sounds like it's asking for some kind of sql injection.
Can anyone suggest the best way to handle what I should say on the form and what routine I should invoke in validation to catch and prevent the disallowed characters? I guess some kind of ereg should do it right?
Thanks,
Chris
Hello,
I have a section on one of my sites where a user can create a URL to their profile, kind of like myspace does with "myspace.com/myname".
Over time someone wanted to use a "+" and someone else wanted to use an "@", and I went ahead and added these to the uri_permitted_chars. If someone knows of a security issue with that, please let me know!
But today someone wanted to use a "'" (single-quote aka apostrophe) and it is disallowed but my validation routine didn't catch it. I'm not going to add the single-quote because that sounds like it's asking for some kind of sql injection.
Can anyone suggest the best way to handle what I should say on the form and what routine I should invoke in validation to catch and prevent the disallowed characters? I guess some kind of ereg should do it right?
Thanks,
Chris