[thelist] [tip] Macromedia even forgets (encoding user input)
AxssDnied
axssdnied at borg.darktech.org
Wed Jun 25 15:35:33 CDT 2003
>> ps: I do input validation on absolutely everything (post, get,
>> cookies, db, session) and when in doubt... die();
>
> Would you mind sharing some code for this or at least relaying your
> technique? Have you written any sort of library to do this?
I have nothing precise... but I am stringent about filtering every input
to a function for example...
First off... I program PHP on regular basis... I used to program ASP.. but
I don't like tying myself mainly down to IIS servers... so PHP instead...
ok.. I usualy build myself a small API folder to contain the functions
that I might call throughout a part of a site (directory, calendar, etc..)
and I try to define a standard set of parameters that I will be expecting.
so for example, I have a file that has at the top:
//PHP//
$pattern['userid'] = "^([a-zA-Z]|\-)+\\\\([a-zA-Z0-9_]|\-){1,49}$";
$pattern['safeString'] = "^[][a-zA-Z0-9.,&;:{}()!?@#$%&*+=-_ ]|\n|\t*$";
$pattern['ipgroup'] = "([0-1][0-9][0-9])|(2[0-4][0-9])|(25[0-5])";
$pattern['ipaddr'] =
"{$pattern['ipgroup']}\.{$pattern['ipgroup']}\.{$pattern['ipgroup']}\.{$pattern['ipgroup']}";
function auditMsg($userid, $ip, $msg) {
global $pattern, $dbname, $auditTable;
$time = mktime();
if (!ereg($pattern['userid'], $userid)) return 0;
if (!ereg($pattern['ipaddr'], $ip)) return 0;
if (!ereg($pattern['safeString'], htmlquote($msg))) return 0;
$msg = htmlquote($msg);
$sql = "INSERT INTO $auditTable ([userid],[ip],[time],[desc]) VALUES
('$userid', '$ip', $time , '$msg')";
//...
//PHP//
Please note that the user id pattern above is for a windows
"domain\userid" format.
I only have two specific functions that I have made for myself.
htmlQuote, which replaces characters like ' as &rsquote; é as é
etc.. as I could find them described. I don't have it for every html
entity, but pretty much all... as well I change \n and \r\n (new line) to
<br />
I also have a htmlLinkQuote which changes a link with some characters into
their %## equivelents... except for ? and & which just breaks the link.
All output I send back to the user (eg: a form that validates itself and
sees bad values and repopulates..), if it managed to pass my input
filters, it will actualy go through another character replacement routine
so that < is turned into < and > is turned into > which stops people
from inserting "</textarea><script
language="javascript">alert("problem?!");</script>" into a text area for
example...
Therefore my best recommendation... is to get used to regular expressions.
They task the server a bit more then some other forms of input validation,
but the peace of mind it offers me I find rather nice.
I hope this helps...
and I also hope the code will be readable for all...
Andrew
ps: I will in the following weeks be adding a whole package of files to
http://borg.darktech.org/webcvs/cvsweb.cgi/rr/callendar/ as I've almost
finished that. (code cleanup and admin scripts to be completed)... at
which time you may find a full sample of my validation/coding style.
More information about the thelist
mailing list