Thread: Review Stage

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    198
    Rep Power
    3

    Review Stage


    Hi,

    I am close to launching a website that i have been working on for some time now and i plan on carrying out a significant review of security .

    I understand that one of the biggest areas of concern from a security point of view is how you handle user input (fields / forms etc.)

    I don't expect anyone to reply with tonnes of information on each, as the internet is full of help and advice BUT the one downside of the internet is 'how up to date' the information is (don't want to use / implement out dated practices) or the 'integrity' of the advice, especially in relation to this subject'.

    So what are your key best practices for each of the following:

    1 - Validating Input

    2 - Sanitizing Input

    Thanks in advance for your help...
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,961
    Rep Power
    9397
    Validation rules depend on what's being validated, but in general:
    * Numbers must be numbers - probably positive integers too
    * Numbers in a range must be within the range
    * Items chosen from a list must exist in that list
    * Strings may be arbitrary but (max) length may matter

    Sanitizing should be strictly a matter of making sure the value is only data and never syntax. Like a string in SQL is always just a string, or output in HTML is only text and never markup.
    If you decide to make the wrong (IMO) decision and alter user input, like with strip_tags(), then that's kinda part of sanitizing too.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1045
    Hi oo7ml,

    I think you're on the wrong track. You cannot "sanitize" input in the sense of applying some functions and checks on the user input, and then it's safe. Do not even attempt that. The PHP developers tried it with the infamous "magic quotes", and we all know how "well" this works (not at all).

    Do not "validate" or "sanitize". Instead, escape your data for the concrete context you're dealing with. If you wanna insert data into a query, use a prepared statement. For an HTML document, use htmlspecialchars(). For JavaScript, use hex encoding. And so on. Each context is different, each one requires a specific approach. There is no magical "make it safe" function.

    Security comes from understanding the risks and escaping mechanisms of each context. It's also important to prevent mistakes. If you hand-pick the "dangerous" data and escape it manually, there's a gigantic risk of getting it wrong sometimes. Instead, escape all data, maybe even automatically. For example, many template engines already apply HTML escaping to all input. Common database libraries also have the escaping built-in.

    Validating form input is great for notifying the user of typos or something. But it's not suitable as a security measure.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo