Hiya Win,

One possibility, if you want to get a log of infringement attempts, would be to do this:

• Untaint the incoming data using regexp to only accept data that you know is OK.
• If the regexp fails, then you know the data wasn't OK. So you can log the data, and if you want to run it through an additional 'what-kind-of-a-problem-was-this' regexp, then you could do that too, and add the info to the logfile. (Be careful logging the data though, if you know that there's a potential security problem).

The security benefits of only letting through things that you know are acceptable - rather than only denying things that you know are unacceptable - are generally accepted to be pretty high.

But once you've decided the data is unacceptable, that doesn't mean you have to throw it away: if you want to process it in some way afterwards, then of course you can. You'd need to be pretty careful that you don't do something that could allow it to bite you, though; perhaps you could encode all non-alphanumeric characters, or something like that.

Best wishes, andye