Are there any "Sanitising" features in Progress that would help prevent nasty people trying to do nasty things with my html form input fields ?
I know that quoter exists , and that ABL is more specifically safer from sql injection attacks than php/ruby etc, and was wondering what other people used to try and stop the attempts at dastardly input
nothing really different from other web-facing technology, if you get data from user that it's eventually displayed on the web-page then you better html-encode it... however having html enabled description fields is a legitimate request and the best bet in that case is to define a list of 'safe' html tags that you allow (and don't html encode).
sql injection is something that one can experiment in progress when using dynamic queries same way when using an sql engine in php/ruby/perl/asp... just be careful when constructing the query string from user input, using quoter is your friend if you want to safeguard field values (works with any data type so use it all the time).
QUOTER only pretended to be a friend...
See yesterday's PANS Is ABL code injection preventable?
The ~042 (octal code for double quote) is not trapped by the QUOTER function.
Simply entering the following in an input field that is used in a dynamic query with QUOTERed input:
~042 OR TRUE AND ~042~042 = ~042
will trick the quoter resulting in ALL results being returned.
I consider this an urgent bug in the QUOTER function which should be fixed ASAP.