our system uses user entered codes as the item's ID.
Years ago it was decided to be ultra friendly and allow all sorts of punctuation to be valid in these codes.
so both & and ; are valid in the
string.
We have been solving this by encoding the parameter, and then encoding the whole URL, so double encoding.
Well we have now tried using IIS and it is complaining about double encoding, I have since discovered the double encoding attack, and am concerned.
All of our internal SQL is written using prepared statements. But we want to save the setup burden on our customers.
Presuming we do want to change how should we encode the strings to make them safe in URLs?
Or is IIS being overly cautious and we should save ourselves the effort.