In article <[EMAIL PROTECTED]>,
"B. van Ouwerkerk" <[EMAIL PROTECTED]> writes:
> I've been reading this discussion and I asked myself whether you guys
> remove/replace unwanted chars from strings you get from the web or
> not..
The problem is not limited to strings you get from the web. Those
strings can come from _any_ source you don't control fully. And you
don't remove unwanted chars - a search for "O'Neill" is prefectly
reasonable and not more dangerous than a search for "Anderson" as long
as you escape the quotation mark properly.
> If you do remove them AFAIK it doesn't only prevent SQL injection but also XSS.
You can prevent XSS in the same manner: carefully escape everything
that looks dangerous. You just use different escaping rules because
you have other dangerous characters (especially '<').
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
