Upload
zakieh-alizadeh
View
46
Download
2
Embed Size (px)
Citation preview
Web Application Security (PHP)
Zakieh Alizadeh
APA Laboratory – Ferdowsi University of Mashhad
Session 11
Validating Sanitizing and Escaping User Data
Web Application Architecture
Table of Content Validating
Sanitizing
Escaping
Web Application Architecture
oValidating
oSanitizing
Validating Sanitizing
Validating: Checking User Input To validate is to ensure the data you've requested of the user matches what they've
submitted.
Just like that, we've told the browser to only allow up to five characters of input, but there's no limitation on what characters they can input. They could enter "11221" or "eval (". If we're saving to the database, there's no way we want to give the user unrestricted write access.
This is where validation plays a role. When processing the form, we'll write code to check each field for its proper data type. If it's not of the proper data type, we'll discard it.
<input type="text" id="my-zipcode" name="my-zipcode" maxlength="5" />
Validating Sanitizing
Sanitizing: Cleaning User Input Sanitization is a bit more liberal of an approach to accepting user data.
We can fall back to using these methods when there's a range of
acceptable input.
For example in bellow field , we want prevent from XSS.
<input type="text" id="title" name="title" />
Validating Sanitizing
Sanitizing For XSS Characters to filter or block.
o Mark up tag characters: <,>
o Quotes: single and double quotes
o Other sets: =, &, {,}, (,), -, !, ~, !, @, #, $, %, *, \, /, ;, +, ^, [,]
Tags and attributes. javascript, frameset, embed, object, iframe, frame, base,
o bgsound, link, blink, script, style, meta, vbscript, title, dynsrc, lowsrc,
o stylesheet, img, src, background, applet, xml, exec, echo
Events filtering.
o onmouseover, onabort, onstop, onload, onunload, on* (All events starting with “on” should be blocked or filtered.)
Validating Sanitizing
Sanitizing For XSS Strings and function signatures (obfuscation).
o String.fromCharCode, &#(UTF-8), \x, \u, %, &, FSCommand (Flash),
functions starting with “on” such as onAfterUpdate
DOM-based XSS.
o Document.write and other document.* calls, eval, windows.* calls
Validating Sanitizing
Escaping: Securing Output For security on the other end of the spectrum, we have escaping. To
escape is to take the data you may already have and help secure it prior
to rendering it for the end user.
o htmlSpecialChars()
o urlEncode
function clean_data($data) {$data = trim($data);$data = stripslashes($data);$data = htmlspecialchars($data);return $data;
}
Validating Sanitizing
Sanitization vs. Validation validation, as it happens before sanitization
validation is verifying that the data being submitted conforms to a rule or
set of rules you (the developer) set for a particular input field.
Whereas validation requires user input to conform to a certain rule or
rules put forth by the developer, sanitization only cares about making
sure the data being submitted doesn’t contain code.
Validating Sanitizing
filter_var filter_var will do, both, sanitize and validate data. What's the difference
between the two?
o Sanitizing will remove any illegal character from the data.
o Validating will determine if the data is in proper form.
filter_var($ip, FILTER_VALIDATE_IP); //return boolean
filter_var($email, FILTER_VALIDATE_EMAIL) //return boolean
filter_var($homepage, FILTER_VALIDATE_URL) //return boolean
filter_var($string, FILTER_SANITIZE_STRING);
filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
Web Application Architecture