Having been stressing online forms of my fellow developers at work, and reading Eric Farraro’s posts on Cross Site Scripting and his recent Google exploit, I figured just how important user input validation is, and the need to emphasise that.
Both XSS and SQL Injections are simple exploits that work on a basic assumption that a web application ‘trusts’ the input it is given, ether through carelessness or ignorance of the developer. The common pattern is the following style of code
[php] echo “hello:”.$user_input; //XSS vulnerable
$sql = “INSERT INTO table VALUES (”.$user_input.”)”;
//SQL Injection [/php]
While both are valid approaches when working with variables, contents of which are your own, it is a whole different game when the values are supplied by an external user. With no limitations, the above code is essentially an equivalent of
[code] "hello", place-your-webpage-here
$sql = access-to-my-whole-database[/code]not good…
“yes, my name really is \’; DROP table users; –”
Personally I would suggest using an established framework, that handles most of security issues, to build your project upon. Being a Ruby fan that I am, Ruby on Rails is an exceptional choice. Security assistance is build into the framework itself, preventing common SQL Injection
“If you only use the predefined ActiveRecord functions (attributes, save, find) without writing any conditions, limits or SQL queries yourself, ActiveRecord takes care of quoting any dangerous characters in the data for you.”
“Strictly convert HTML meta characters (â€œ< â€ and â€œ>â€œ) to the equivalent HTML entities (â€<â€ and â€>â€) in every string that is rendered in the website. … Rails provides the helper method h() for HTML meta character conversion in Views.”
Additionally Rails includes an amazing framework for data validation, ensuring the integrity of data submited (and results in pretty looking feedback as well). I might get into more detail about that later.
The bottom line is – keep in control of your application, and validate all the content yourself, don’t trust the user to always enter the correct input.