[thelist] [tip] Macromedia even forgets (encoding user input)

AxssDnied axssdnied at borg.darktech.org
Wed Jun 25 15:35:33 CDT 2003


>> ps: I do input validation on absolutely everything (post, get,
>> cookies, db, session) and when in doubt... die();
>
> Would you mind sharing some code for this or at least relaying your
> technique? Have you written any sort of library to do this?

I have nothing precise... but I am stringent about filtering every input
to a function for example...
First off... I program PHP on regular basis... I used to program ASP.. but
I don't like tying myself mainly down to IIS servers... so PHP instead...

ok.. I usualy build myself a small API folder to contain the functions
that I might call throughout a part of a site (directory, calendar, etc..)
and I try to define a standard set of parameters that I will be expecting.

so for example, I have a file that has at the top:
//PHP//
	$pattern['userid']	= "^([a-zA-Z]|\-)+\\\\([a-zA-Z0-9_]|\-){1,49}$";
	$pattern['safeString']	= "^[][a-zA-Z0-9.,&;:{}()!?@#$%&*+=-_ ]|\n|\t*$";
	$pattern['ipgroup']	= "([0-1][0-9][0-9])|(2[0-4][0-9])|(25[0-5])";
	$pattern['ipaddr']	=
"{$pattern['ipgroup']}\.{$pattern['ipgroup']}\.{$pattern['ipgroup']}\.{$pattern['ipgroup']}";

function auditMsg($userid, $ip, $msg) {
	global $pattern, $dbname, $auditTable;

	$time = mktime();
	if (!ereg($pattern['userid'], $userid))  return 0;
	if (!ereg($pattern['ipaddr'], $ip))	 return 0;
	if (!ereg($pattern['safeString'], htmlquote($msg))) return 0;
	$msg = htmlquote($msg);
	$sql = "INSERT INTO $auditTable ([userid],[ip],[time],[desc]) VALUES
('$userid', '$ip', $time , '$msg')";
	//...

//PHP//
Please note that the user id pattern above is for a windows
"domain\userid" format.

I only have two specific functions that I have made for myself.

htmlQuote, which replaces characters like ' as &rsquote; é as é
etc.. as I could find them described. I don't have it for every html
entity, but pretty much all... as well I change \n and \r\n (new line) to
<br />
I also have a htmlLinkQuote which changes a link with some characters into
their %## equivelents... except for ? and & which just breaks the link.

All output I send back to the user (eg: a form that validates itself and
sees bad values and repopulates..), if it managed to pass my input
filters, it will actualy go through another character replacement routine
so that < is turned into &lt; and > is turned into &gt; which stops people
from inserting "</textarea><script
language="javascript">alert("problem?!");</script>" into a text area for
example...

Therefore my best recommendation... is to get used to regular expressions.
They task the server a bit more then some other forms of input validation,
but the peace of mind it offers me I find rather nice.


I hope this helps...
and I also hope the code will be readable for all...
Andrew


ps: I will in the following weeks be adding a whole package of files to
http://borg.darktech.org/webcvs/cvsweb.cgi/rr/callendar/ as I've almost
finished that. (code cleanup and admin scripts to be completed)... at
which time you may find a full sample of my validation/coding style.



More information about the thelist mailing list