Re: Input validation

Hello,

When I write apps I find that I do sanity checking for the application-specific formats required, and use proper quoting for security issues.

When a user gives you a date on a web page, make sure you receive something that looks like a date. It only makes sense in the context of the application. So in this way, you are doing #3. However, from the application's perspective, certain characters are often perfectly valid, and the end user has a right to be able to give them to you. If a user really wants to put a single quote in that textarea, you should let him.

This is when quoting comes in. And this is where all of your security lies. Whenever you send any piece of data off to another medium, quote it. Whenever a variable that any outside source controls leaves your web app, escape. When you send user input to your db, use the quoting function that your db provides. When you re-display it on the web page, turn the special characters into entities. When you write a filename to the filesystem, escape the dangerous characters.

I know this might seem somewhat backward from what you normally hear about "sanitizing your input". But typically in web apps, we aren't concerned with overflows, we are concerned with funky syntax. A string is a string, and it won't break anything until you try to use it in a way that it wasn't meant to be used.

Anywhere you send this data that is outside of your web app will probably have its own syntax for things. Syntaxes come with special characters. There are typically tools available to quote/escape these characters in each syntax. If they aren't escaped, your program is buggy. If it is buggy, it might be (or probably is) insecure.

good luck,
tim

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

On Thu, Jun 19, 2003 at 01:38:40PM -0400, Kooper, Larry wrote:
> I am a newbie to this list - apologies if this question is often asked. (I
Received on Fri Jun 20 08:33:04 2003