risky characters to block in asp.net forms?

Question

hi,

I'm about to launch a forms auth membership site that will include forms that both international and American users can use to update their profile info and submit requests for info on products (but no actual e-commerce). I'm using asp.net validation controls on the text inputs and I had it pretty tightly filtered for chars using regex detection. Getting some push-back from marketing to open that up some (a lot), so I was looking for some advice on what chars are highest priority to filter in an asp.net form page from a security stance?

Thanks for any tips on this!

Answer 1

The main thing is to make sure you aren't exposing yourself to SQL injection. Easiest(?) way to handle that in .net/MSSQL is to make sure you are using either stored procedures or parameterized queries.

Depending on how the content being entered on these forms will later be displayed, you'll also want to check for client-side vulnerabilities (like people trying to enter iframe markup or javascript)

Answer 2

When you say submit requests for info on products I'm envisioning a free-text field where a user can enter anything they want, right? In that case you shouldn't be filtering anything. If it's as tight as I think it is then I bet this very answer would be considered bad, which would frustrate your users. =)

We ran into something similar recently where the security folks wanted a whole bunch of special characters locked down. Turns out users can't use periods or apostrophes or hyphens or slashes in their comments - woops! Also turns out that it wasn't required because the ORM being used was already generating parameterized SQL statements that were safe to execute against the DB.

If you're using a modern-day ORM or manually executing parameterized queries against your database I wouldn't worry much at all about enforcing special character restrictions on profile fields.