Re: Input validation

[Peter Conrad <conrad () tivano de>]

Hi,

On Thu, Jun 19, 2003 at 01:38:40PM -0400, Kooper, Larry wrote:
> When securing a web site against attacks such as SQL injection and XSS, what
> approach do you recommend following to validate user input?  
>
> 1) Attempt to massage data so that it becomes valid
> 2) Reject input that is known to be bad
> 3) Accept only input that is known to be good

Depending on the circumstances, I use 1 and 3. Never use 2, it doesn't take
into account input that is bad but not known to be so. 1 can be used if
the user cannot provide invalid input without some form of "hacking", like
e. g. if there's a fixed SELECT list and the input doesn't match any of the
available OPTIONs.

> The problem with solutions 1 and 2 is that you may miss some forms of bad
> input.  Another subtle problem with solution 1 and 2 is that sometimes bad
> input can be embedded in good input.  For example, if someone searches for
> "director's selections" the string "select" would be rejected (as a SQL
> command), resulting in "director's ions." 

A string containing "select" is not bad input. The point is that you must
properly escape and quote strings before passing them to e. g. a database.

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18
63263 Neu-Isenburg

Germany