Online Form Security - What Characters Shall I Ban

accelerator · 20-04-07

Hi All

I'm currently working on a vb.net script that allows user input into my database via an online form. I am writing the form validation code, and I just thought I'd ask which characters people think it's wise to ban. I only want simple text to be allowed, so far I've got:

< > *

What else do people think?

Cheers

Accelerator

tbp · 21-04-07

' ; are the usual ones to block, or at least escape them, as they can be used for SQL injection attacks!

John@PP · 23-04-07

' , " $ ; < >

That said I would just escape them like tbp said

monkeyboy · 23-04-07

Ideally you should be using parameterised SQL in a stored proc rather than building the SQL statement on the fly. This is especially true for SQL Server.

If you have to build up your SQL I would suggest looking out for SQL comment markers such as two dashes --

ceetee · 23-04-07

Are you sure it's not easier to define the only allowable characters?

I.e for username/passwords - alphanumerical characters.

// non alphanumerical characters
$regPattern= "[^a-zA-Z0-9]";

and in the condition

!ereg($regPattern,$_POST['password'])