Saturday, October 11, 2014

Input validation for web-applications, how to process input safely and securely - Part 3 of 3

This is part 3 of 3 of the blog series about input validation for web-applications. In the first part the entire process was explained. In the second part we did some coding on the client-side, and now we will look in to server-side coding in PHP. But keep in mind that the same principles apply to all programming languages.

Input validation is not only about security. It is also about building user-friendly applications (a message when the data-entry does not comply) and keeping data consistency (all data is stored in the same format). In example, you can choose to store all dates in yyyy-mm-dd format in your database. When you make sure you do that, you can easily analyze and generate statistics of the data in your database. When a user of the system enters data in a wrong format, you can either automatically change it (sanitization), or send a message to the user to enter it in the correct format.

Part 1 - Input validation process
Part 2 - Input validation coding client-side
Part 3 - Input validation coding server-side

The input requirements

In the previous post we used the example of requirements below. This example came in the form of a a small register form with the most basic input values. The following input is requested from the user, including all the requirements of the input data and in this stage it is sent to the web server.
  • Name (name and surname)
    • Required
    • Maximum length is 50 characters
  • E-mail address
    • Required field
    • Needs to validate as email address
  • Password
    • Required field
    • Requires at least one lower and one uppercase letter, one digit, no spaces and a length of 8-16 length
    • Must be same as repeat password
  • Repeat password
    • Required field
    • Requires at least one lower and one uppercase letter, one digit, no spaces and a length of 8-16 length
    • Must be same as password
  • Birthdate
    • Optional
    • Needs to validate as a proper date (mm/dd/yyyy)
  • Personal website
    • Optional
    • Must validate as a proper url
    • Only http and https is allowed
Very basic values of course, but good enough for the example throughout the client-side and server-side input validation coding. It is very important to first sit down with your co-workers about the requirements of the data, before actually start coding.

Input validation Steps

For every step in the process we will look at what it might mean for Javascript. Some steps will not be required at all, some optional and some definitely required.
  1. Check if the input is actually sent and received
  2. Store input in memory, separate it from the source
  3. Check variable for, and remove all scripting
  4. Trim the variable
  5. Truncate the variable to the maximum size of expected value
  6. Check if it is the correct variable type and / or format
  7. Check if it is expected content (also called white listing)
  8. When relevant, check existence of local resources
  9. And now is it input for the process

Server-sided PHP

The server-sided code for input validation can be found below. In this situation we use PHP and I will show two kinds of examples. One is the input validation only and the other is input validation and sanitization. Keep in mind with sanitization that when done on the server-side, you probably need it also on the client-side (there is no point doing server-side only, as the user will face input validation errors by the client-side validation).

That being said, all steps are explained in the code itself.

All done now...

Happy days! You passed all tests and can assume that the input is validated, sanitized and safe to send it to the database, files or other storage or processing locations.

Thats about it for the input validation process, client-side execution and server-side execution. Please bare in mind to never ever trust (user) input and always process it appropriately. The most common vulnerabilities are due to improper input validation.

I hope you like the set of posts on this topic and thank you for reading my blog!

Disclaimer concerning the code

Please be aware that the code above is merely an example to show what can be done to do input validation and it is not ready for production environments. Chances are that the regular expressions can be improved and other code might as well.

Always make sure that you follow the requirements of your applications and incorporate the security in its design. From there you can implement all the input validation you need for the best security of your application.

Sources

Here are a couple of informative and useful sources you might want to check out.

Copyright (c) 2015 Joram Teusink

MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Share:  

0 comments:

Post a Comment