Recently I had some issues with correctly escaping my MSTP command I detailed HERE. During the process of testing the escaping, I realized there wasn’t any sites dedicated to numerous escaping techniques and/or testing strings. Normally what I do when I want to test some escaping is i’ll just go through the keys like so `~!@#$^&*
That works to get an idea of which characters are being escaped or not but there are ways in which certain patterns or order you write some chracters that may end up breaking some escaping techniques.
For example with any type of BASH command, you want to make sure the user input escapes semicolons, as a user could use it to break the current command and run something malicious.
I know SQL especially has had many vunerabilities in the past when certain squences are injected. The benefit for SQL database software like MySQL is that their product is specific to one task, and they can perfect their escaping functions to avoid many of these vunerabilities, however open-ended languages that are for numerous tasks such as PHP, BASH, PERL, etc all are too broad and have many escape functions but none of them work for every situation.
Simiarly, not only have I had issues of finding the best ways to escape things, but also I am always googling for a good regex for email validation from HTML forms.
I am a big fan of web 2.0 type websites where the whole website is based slowly on a single task. Therefore, I think there should be a website where users can submit and improve on the best validation techniques for common tasks. This would include not only escaping harmful characters but also regex for validation.
The idea of the site would be all about escaping and testing escapes and input validation for certain languages. It would be heavy on user submission and almost act like a wiki.
Alot of resources are a bit outdated as far as regex go as well. For exmaple not many email validation allows for periods or plus signs that gmail will let you use. One of my biggest pet peeves is when people don’t bother with correctly escaping/validation complex password forms either. I believe every character on the standards QWERTY american keyboard should be allowed in password fields. Including chars like @$#*^, but probably none of the special alt-codes, as thats a bit overkill.
As far as I know, there is no central place where all types of input validation is kept. There are good libaries that try to take care of it for you, for example one that I have used before was JQuery’s Validation plugin. However, javascript is still clientside only, you still want to double check everything on the serverside with PHP or similar serverside language.
No tags
