[Owasp-input-api-developers] sample - will this work?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

This is a little function I wrote to escape any character not contained
in the variable ok_chars. Characters not represented in that variable are
escaped to the corresponding html entities. For example, a space character
(ASCII 32) is converted to &#32;

It's VBscript. This is an app running on IIS, and the function is used
to cleanse data going into a SQL Server 2000 database.

First, do the & # and semicolon have any special meaning to SQL2K or
any of the other popular database engines? I'm thinking not - but I'm not
the expert here.

Second, do you think it's ok, given the purpose of the function, to 
include the % as a valid character that will not be escaped?

Thanks

------------------------------------------------------------------------
function sanitize(string1)

  ok_chars = "1234567890!@%&_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"

  for i = 1 to len(string1)
    char=mid(string1,i,1)
    if instr(ok_chars,char)=0 then
      temp=temp&"&#" & asc(char) & ";"
    else
      temp=temp&char
    end if
  next
  sanitize=temp

end function
------------------------------------------------------------------------

-- 
Steve Sobol, CTO  JustThe.net LLC, Mentor On The Lake, OH