what if u have a program that directlys get the whole url address and compares it to db? how can i filter such injection? if it is injected via browser?i cannot do a whitelist and blacklist filtering, nor based it one char lenght because my url are dynamic?