K. Brian Kelley (4/12/2011)
In the BBS days...
I remember those days! I ran a very small BBB back in the 80's. Those were the days.
Anyway, what you describe is correct. The concept of whitelist vs. Blacklist. Whitelist being more secure and ensuring the characters or patters match an exact allowable list only, vs. a blacklist which is less secure and looks for characters not allowed. Blacklist being less secure because hackers are always adapting and changing and even if you blacklisted all of the bad chars/patterns today, it may be vulnerable tomorrow via a new yet-to-be-invented construct.
On the coding side, I advocate whitelist, and on an exception, attempt to blacklist sanitize the input (replace), then run it through the whitelist check one last time. This tends to prevent the really bad stuff, even if not invented yet (usually), while not doing a smack down on the users ETL process, etc.
Anyway, you made some nice points.