The
config
file is an XML file. Attribute values need to be encoded properly for XML.
Specifically,
& needs to be encoded as
&;
< needs to be encoded as
<; and
> needs to be encoded as
>.
You also can't use the C# "verbatim string" prefix (
@
) on the attribute value.
<add key="BlockedSpChacters" value="\|!#$%&()=?»«£§€{};'<>,+*^%"/>
NB: Your setting name makes me suspect that you're trying to filter out "bad" characters from values that you're injecting into a SQL query. If that's the case, stop
immediately. Your code will be vulnerable to
SQL Injection[
^].
NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]