Trouble Filtering the \ character

[Ben V.]

In my application, I cannot allow the user to enter the "\" character in
their URL. The only problem is, if I try if sURL.include? "\", it gives
me an error, because I'm guessing it assumes that I am trying to escape
chars with the "\" character. If so, how can I check whether the
variable sURL contains the | character? Sorry for such a dumb question.

 

[Jim Crossley]

In my application, I cannot allow the user to enter the "\"
character in their URL. The only problem is, if I try if
sURL.include? "\", it gives me an error, because I'm guessing it
assumes that I am trying to escape chars with the "\" character.

Try sURL.include? "\\"

Jim

 

[Ben V.]

Try sURL.include? "\\"

Yep, that works - I can't believe I didn't think about it. Thanks for
your help and time.

 

[David Vallner]

--------------enig37D1C7888B1F3957ECD1E646
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

In my application, I cannot allow the user to enter the "\" character i= n=20
their URL.=20

Might be Windows muscle memory. Consider silently replacing it with a
forward slash instead of reporting an error to the user?

David Vallner


--------------enig37D1C7888B1F3957ECD1E646
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFJxity6MhrS8astoRAqIuAJ9Ai7ndtsl95gl3CAD3YgT6ZWtyAwCfY1wg
D/V5OsUQAMrDeGOg16HV83s=
=1lGC
-----END PGP SIGNATURE-----

--------------enig37D1C7888B1F3957ECD1E646--

 

[Timothy Goddard]

Might be Windows muscle memory. Consider silently replacing it with a
forward slash instead of reporting an error to the user?

When your skin gets exposed to UV light the cells are damaged by the
high energy rays. When the damage exceeds a certain level, the cell has
more potential to damage the organism than help it. The cell responds
to this by committing a form of cellular suicide, called apoptosis.

Applying the same principle to code can produce much more robust
applications than you otherwise would get. If a connection acts
unusually suspiciously, it's often much better to forcefully fail than
to attempt to fix the problem. This is mainly because an attempt to fix
the problem may in itself fail, the validation code becomes much
bulkier and as a result more error prone, and you stand less chance of
giving away information to an attacker.

Whenever suspicious activity is detected (within reason) a generic
failure is usually the best course of action. Mongrel is a very good
example of a Ruby project which takes this approach and is considered
highly secure as a result (I have no connection to the Mongrel
project). If an incorrect HTTP request is encountered it simply drops
the connection, preventing any information from being given to what may
well be an attacker.