12
Web Application Security (PHP) Zakieh Alizadeh [email protected] APA Laboratory – Ferdowsi University of Mashhad

Validating and Sanitizing User Data

Embed Size (px)

Citation preview

Page 1: Validating and Sanitizing  User Data

Web Application Security (PHP)

Zakieh Alizadeh

[email protected]

APA Laboratory – Ferdowsi University of Mashhad

Page 2: Validating and Sanitizing  User Data

Session 11

Validating Sanitizing and Escaping User Data

Page 3: Validating and Sanitizing  User Data

Web Application Architecture

Table of Content Validating

Sanitizing

Escaping

Page 4: Validating and Sanitizing  User Data

Web Application Architecture

oValidating

oSanitizing

Page 5: Validating and Sanitizing  User Data

Validating Sanitizing

Validating: Checking User Input To validate is to ensure the data you've requested of the user matches what they've

submitted.

Just like that, we've told the browser to only allow up to five characters of input, but there's no limitation on what characters they can input. They could enter "11221" or "eval (". If we're saving to the database, there's no way we want to give the user unrestricted write access.

This is where validation plays a role. When processing the form, we'll write code to check each field for its proper data type. If it's not of the proper data type, we'll discard it.

<input type="text" id="my-zipcode" name="my-zipcode" maxlength="5" />

Page 6: Validating and Sanitizing  User Data

Validating Sanitizing

Sanitizing: Cleaning User Input Sanitization is a bit more liberal of an approach to accepting user data.

We can fall back to using these methods when there's a range of

acceptable input.

For example in bellow field , we want prevent from XSS.

<input type="text" id="title" name="title" />

Page 7: Validating and Sanitizing  User Data

Validating Sanitizing

Sanitizing For XSS Characters to filter or block.

o Mark up tag characters: <,>

o Quotes: single and double quotes

o Other sets: =, &, {,}, (,), -, !, ~, !, @, #, $, %, *, \, /, ;, +, ^, [,]

Tags and attributes. javascript, frameset, embed, object, iframe, frame, base,

o bgsound, link, blink, script, style, meta, vbscript, title, dynsrc, lowsrc,

o stylesheet, img, src, background, applet, xml, exec, echo

Events filtering.

o onmouseover, onabort, onstop, onload, onunload, on* (All events starting with “on” should be blocked or filtered.)

Page 8: Validating and Sanitizing  User Data

Validating Sanitizing

Sanitizing For XSS Strings and function signatures (obfuscation).

o String.fromCharCode, &#(UTF-8), \x, \u, %, &, FSCommand (Flash),

functions starting with “on” such as onAfterUpdate

DOM-based XSS.

o Document.write and other document.* calls, eval, windows.* calls

Page 9: Validating and Sanitizing  User Data

Validating Sanitizing

Escaping: Securing Output For security on the other end of the spectrum, we have escaping. To

escape is to take the data you may already have and help secure it prior

to rendering it for the end user.

o htmlSpecialChars()

o urlEncode

function clean_data($data) {$data = trim($data);$data = stripslashes($data);$data = htmlspecialchars($data);return $data;

}

Page 10: Validating and Sanitizing  User Data

Validating Sanitizing

Sanitization vs. Validation validation, as it happens before sanitization

validation is verifying that the data being submitted conforms to a rule or

set of rules you (the developer) set for a particular input field.

Whereas validation requires user input to conform to a certain rule or

rules put forth by the developer, sanitization only cares about making

sure the data being submitted doesn’t contain code.

Page 11: Validating and Sanitizing  User Data

Validating Sanitizing

filter_var filter_var will do, both, sanitize and validate data. What's the difference

between the two?

o Sanitizing will remove any illegal character from the data.

o Validating will determine if the data is in proper form.

filter_var($ip, FILTER_VALIDATE_IP); //return boolean

filter_var($email, FILTER_VALIDATE_EMAIL) //return boolean

filter_var($homepage, FILTER_VALIDATE_URL) //return boolean

filter_var($string, FILTER_SANITIZE_STRING);

filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

filter_var($_POST['homepage'], FILTER_SANITIZE_URL);

Page 12: Validating and Sanitizing  User Data

Web Application Architecture