rc3.org

Strong opinions, weakly held

Sanitize your input

It’s impossible to overemphasize the need to sanitize user input that will be displayed to users in a Web application. Just ask MySpace.

2 Comments

  1. And the real shame is that often it is very simple to sanitize input.

    For example, if you are pulling in record numbers, currency values, dates, etc., it is trivially easy to convert these to their native formats and then plug it right back into your sql statement.

    For example:

    BigDecimal cashAmount = null;
    try {
    cashAmount = new BigDecimal( getAttribute( "paymentfield" ) );
    } catch( NumberFormatException nfe ) {
    // invalid input
    ...
    }
    // cashAmount is now valid
    String sql = "select id from payment where amount > " + cashAmount + ";";
    ...
    

    All too often, I’ll actually see something like

    sql = "select id from payment where amount > " +
    getAttribute( "paymentfield" ) + ";";

    And then it is SQL-injection city.

    The amount of code that is vulnerable in this way is mind-boggling. Every industry and company I’ve ever worked had critical, production code with these same issues. Based upon the lack of any stories in the MSM, I believe either the companies are very good at covering up/blisfully ignoring break-ins, most attacks are the result of blind luck, or most crackers are dumber than a box o’ rocks. Or all three.

  2. True, there are trivial checks out there.

    But this exploit was really nasty/tricky. Parts of it rely on browser bugs, like treating “javascript” with an embedded newline as the proper value. Hard to protect against that.

Leave a Reply

Your email address will not be published.

*

© 2016 rc3.org

Theme by Anders NorenUp ↑