Menu
▾
▴
Re: [Owasp-input-api-developers] sample - will this work?
|
From: Alex R. <al...@se...> - 2002-08-06 17:57:55
|
On Tue, 6 Aug 2002, Steven J. Sobol wrote: > This is a little function I wrote to escape any character not contained > in the variable ok_chars. Characters not represented in that variable are > escaped to the corresponding html entities. For example, a space character > (ASCII 32) is converted to   There's no canonicalization. Use of the asc() function assumes that the char can be represented in 1 byte. Is that a valid assumption at all times? Will you ever have input from non-ascii char sets? What does the asc() function return in those cases? Is that output safe? > It's VBscript. This is an app running on IIS, and the function is used > to cleanse data going into a SQL Server 2000 database. I think you should just drop any chars that aren't allowed. > First, do the & # and semicolon have any special meaning to SQL2K or > any of the other popular database engines? I'm thinking not - but I'm not > the expert here. > > Second, do you think it's ok, given the purpose of the function, to > include the % as a valid character that will not be escaped? I would be warry of "%", "!", "/", and "=" the "/" char is used as a division operator in some SQL dialects, while "!" is used as negation. "=" is obviously part of the SQL BNF, and should be dissalowed. As for "%", I dunno, but it just kinda strikes me as dangerous somehow. > ------------------------------------------------------------------------ > function sanitize(string1) > > ok_chars = "1234567890!@%&_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" > > for i = 1 to len(string1) > char=mid(string1,i,1) > if instr(ok_chars,char)=0 then > temp=temp&"&#" & asc(char) & ";" > else > temp=temp&char > end if > next > sanitize=temp > > end function > ------------------------------------------------------------------------ Good Luck. -- Alex Russell al...@Se... al...@ne... |
