I am working on a site that was just given to me and is pretty much done. There is already a function to replace sql injection characters/words into a safe format (such that something like 'select' is replaced with 'selects').
However, there is one place there is a problem, and it is when the user is inserting a URL. So, for instance, the user enters a url with a ; (semi-colon) in it. Obviously, I don't want that added, however, if I replace it with any other character, the URL will no longer be good. I was thinking of using URl encoding so that '
http://test.com?id=123;32' equals '
http://test.com?id=123%3B32', however, when trying to reach the URL with that address it does not work with sites like youtube when I replace the "&" with the "%26".
I do not mind removing keywords such as delete, update, select, insert - however, I will need access to allow users to enter in data such as ; or -- which a lot of URL's these days have (such as yahoo news and youtube).
Do any of you experts out there now the best solution to make sure the URL is posted correctly without me exposing myself to a potential hack? This is dynamic SQL and I will not have been told by the owner that I do not have the ability to create a stored procedure.
Thanks
Here are some examples:
http://davidhayden.com/blog/dave/archive/2005/10/24/2528.aspx
http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=6999&lngWId=4