|
|
|
|
|
|
by sokoloff
4405 days ago
|
|
|
Choosing random characters to exclude (or alternately, only permitting a subset of characters) can make the task of validating that you aren't subject to an injection attack easier. Note that this validation may take the form of validating to someone, shall we say, less than fully competent, or it could be an actual means to protect yourself. The additional search space from 62^N to 200^N isn't especially worth worrying about, IMO. http://msdn.microsoft.com/en-us/library/bb355989.aspx (to cite just one way that these things come into being; someone finds that you can do input validation easily, and they do it, maybe because they're overly cautious, maybe because someone they need to convince is overly cautious, maybe some other reason) IMO, this is not an especially terrible "flaw" in a site. |
|
|