What are some best pratices associated with use of IRIs to prevent character missrepresentation, spoofing, or character injection?
+1
A:
There is no one silver bullet for preventing all attacks that involve injecting control characters. Vulnerabilities are highly dependent on how the data is being used. For instance xss uses the control characters <> where as SQL Injection uses the control characters '"\, to mix both of these filters does not make sense.
One can use a collection of Regular Expressions to insure that data is valid before it is used. A specific regular expression can be used to prevent a specific vulnerability on a function by function basis. Input validation goes beyond the realm of security and is often required for the program to work properly.
Regex's are not always the best way to get the job done. For instance if you are using the mysql library there should be the function call mysql_real_escape_string() which insures that all control characters that mysql recognizes are properly escaped. It is in your best interest to use this function instead of attempting to write your own security system, re-inventing the wheel is bad engineering and can be catastrophic when it comes to security systems.
Rook
2010-02-27 19:16:16
xss also uses `" '` and many other characters. sql injection is also possible without `'"\\` …
knittl
2010-04-17 10:25:25
@knittl I know, `'select * from user where id='.addslashes($_GET[id])` `print("<a href='http://127.0.0.1/$_GET[path]'>xss</a>")`
Rook
2010-04-17 19:04:34