need to allow all characters in the URI... what should i be aware of

[eluser]plainas[/eluser]
What kind of security issues can arise from this?
Any practical example?

[eluser]Derek Allard[/eluser]
The url can be used to pass characters that could be used in cross site scripting attacks, or cross site request forgery, or sql injection (in theory). I'd encourage you to find another route around allowing all characters.

[eluser]Phil Sturgeon[/eluser]
You can always send some of the data via a query string, then make sure you check that data very closely when you pick it up.

[eluser]plainas[/eluser]
Enabling querystrings would change the whole structure of my application.

I try to stay away from myths and paranoias as much as possible.
That doesn't mean I don't care about security.

Just so i'm sure of all the dangers out there.

Assuming all the variables used in database queries are sanitized, if i htmlspecialchars() all user data i display it shouldn't be any danger... or am i missing something in here?

[eluser]Phil Sturgeon[/eluser]
I didnt mean to use query strings for the entire application. Just enable query strings so they are not ignored, and then have site.com/controller/method/whatever?something=hf8956$%£g]ffpdg.

[eluser]plainas[/eluser]
don't they (query strings) get filtered the same way?