Hire a senior Perl / Python programmer today; download my up-to-date resume (PDF)
John Bokma Website design
freelance Perl programmer

Web forms

Don't trust user input | 0 comments

Never ever assume in your server side program that processes the input of a web form that possible client side validation and restrictions, for example on the maximal length of the data, of the form elements have taken place. It is quite possible to call the server side program directly with faked data.

Always be very careful when user input is used to access files, building data base queries, executing system commands etc. Never throw away parts of the data because it shouldn't be there, but make sure that the data matches what you want. So instead of silently accepting and fixing data, report back that it is not what was expected. This will stop people from attacking your script in most cases. Silently accepting gives them the impression that their input is accepted, and they keep on trying to find an exploit. So always assume the worst can happen regarding the input.

Since it is quite possible for a user to press the submit button more than once, your server side program must be able to handle those cases. Client side scripting alone is not secure, since it can be disabled or circumvented.

Forms related

Please post a comment | read 0 comments | RSS feed