Premium Member Database last update: Tuesday, December 18, 2018 14:03:20 GMT-0700

Be Paranoid About User Input

Tip #2

Be Paranoid About User Input

One of the most security vulnerable areas of the web today is user forms. Websites use forms for all sorts of purposes. Whether you use forms to take orders, receive contact information or allow comments on your blogs or message boards, you need to start with one unbreakable rule:

Never Trust User Input!

Webforms are often the weakest and most prominent sources of hack attacks. Poorly configured forms may allow cross-site scripting, SQL injection and a host of other dangerous activities. Remember also, a form is not always a series of little boxes where users input their names, numbers and comments. Webforms are really any part of your site that allows and accepts user input. This includes variables added and submitted through the website address.

All input data needs to be checked, sanitized and validated prior to processing. Do not rely on your users to validate their data for you.

Data validation should happen on the server side, not the client side. Client-side JavaScript provides some neat features but is entirely unreliable for post submission data validation. If you use ASP or PHP rely on specific features built into these systems to validate all your data.

When validating data don?t spend all your time looking for all the things you will not allow. Develop a ruleset for the limited data you will allow and then stick to it. Strip out malicious code and sanitize the variables before processing or adding the data to your database. Numbers should be numbers, letters should be letters; each piece of data should be limited in size.

Be paranoid. Never trust user input.

Next: Tip#3 Keep your security patches up to date