Updating password parameter
Otherwise, you are allowing attackers to repeatedly attack your application until they find a vulnerability that you haven't protected against.
Thus, "(555)123-1234", "555.123.1234", and "555\"; DROP TABLE USER;--123.1234" all convert to 5551231234.Note that you should proceed to validate the resulting numbers as well.As you see, this is not only beneficial for security, but it also allows you to accept and use a wider range of valid user input.This is a dangerous strategy, because the set of possible bad data is potentially infinite.Adopting this strategy means that you will have to maintain the list of "known bad" characters and patterns forever, and you will by definition have incomplete protection.Data from the client should never be trusted for the client has every possibility to tamper with the data.
In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation.
PWGen is a professional password generator capable of generating large amounts of cryptographically-secure passwords—“classical” passwords, pronounceable passwords, pattern-based passwords, and passphrases consisting of words from word lists.
It uses a “random pool” technique based on strong cryptography to generate random data from indeterministic user inputs (keystrokes, mouse handling) and volatile system parameters.
Essentially, if you don't expect to see characters such as ?
or Java Script or similar, reject strings containing them.
It can take upwards of 90 regular expressions (see the CSS Cheat Sheet in the Development Guide 2.0) to eliminate known malicious software, and each regex needs to be run over every field. Just rejecting "current known bad" (which is at the time of writing hundreds of strings and literally millions of combinations) is insufficient if the input is a string.