In article <6.0.0.22.0.20040729123957.02ac5b70@pop.atz.nl>,
"B. van Ouwerkerk" <bvo@atz.nl> writes:
> I've been reading this discussion and I asked myself whether you guys
> remove/replace unwanted chars from strings you get from the web or
> not..
The problem is not limited to strings you get from the web. Those
strings can come from _any_ source you don't control fully. And you
don't remove unwanted chars - a search for "O'Neill" is prefectly
reasonable and not more dangerous than a search for "Anderson" as long
as you escape the quotation mark properly.
> If you do remove them AFAIK it doesn't only prevent SQL injection but also XSS.
You can prevent XSS in the same manner: carefully escape everything
that looks dangerous. You just use different escaping rules because
you have other dangerous characters (especially '<').
