Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Input Validation - Multilanguage sites

From: billy_zappa () yahoo com
Date: 20 Mar 2006 21:34:02 -0000
My question relates to Input Validation, especially when dealing with non-English character sets. The site I am working 
on will be written in classic ASP and will run on IIS 6.0.

I am familiar with input validation when dealing with English input/output. I have a couple of utility functions I use 
that either verify that the input is a number when it needs to be, or that it contains only "good" characters. By good 
characters, I mean letters, numbers, or one of the specifically allowed special characters, which I then encode. 
Example is a double quote, or single quote which I manually replace with the appropriate HTML entity.

So my question is how to handle this when dealing with another language, say Chinese as an example. Can all Chinese 
characters/symbols be considered safe? (I am primarily worrying about SQL Injection and/or Cross Site Scripting). When 
using Google Translator, it appears that most, if not all, English symbols are translated as the same symbols in 
Chinese. This includes a single quote, double quote, less than and greater than sign.

Or should I just use Server.HTMLEncode and be happy with that? In the past I liked having the ability to validate my 
input a little bit further through Regular Expression, but maybe this isn't an option when using other character sets.

I hope I explained what I am asking well enough. I look forward to any suggestions that can be offered. Thanks in 
advance for the help!

Jeff

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: