Monday, November 08, 2010

There is just no excuse for….

not sanitising and validating your user inputs. These two items are the most important aspects of writing a stable and secure system.

Not only do I think that Sanitising and Validating is important, I also believe that it must be done in that exact order.

Here is a quick example of what can go wrong:

Imagine you have a web application used to sign up users. The only mandatory field is Username, and it must be a minimum of 10 characters in length. This is a very easy check, but developers will quite often perform a trim on data going into a database. What happens when you validate for length but then have your code remove 1, 2 or maybe even 10 characters?  The worst case here is that the string full of spaces pass validation then your code removes all 10 characters from the username, resulting in an attempt to insert a null into the database. From here, hilarity will ensue, with either a database constraint exception or random null reference exceptions down the track when you try to use the data for something useful.

This is a very basic example of what can go wrong when you either don’t sanitise, don’t validate or you get the two around in the wrong order.

We apps in particular are still a very popular target for malicious users, using SQL injection attacks, delayed injection attacks or any other method you can possibly think of.

So please, do the right thing, Sanities then Validate ALL your data.

No comments: