subject: Validating Input For A Secure Program [print this page] In web development, the first thing to be done is to check every piece of data received. A software process must always make sure that the input is in the expected form. Avoiding the entry of any malicious data will ensure a high data quality level. This article frames the techniques of validating an input to secure programs.
Validating the Input
Check every data received.
Avoid unsecure data"s to protect the program from attacks.
Checking to be done at the beginning as well as later while using data.
Checking Incorrect Input
Checking for illegal data values are the biggest mistakes, as attackers might use another data value.
Data must match the definition, otherwise reject it.
Match the input to a certain pattern; reject the inputs that do not follow that pattern.
Avoid dangerous values.
Expected data for the web development (UK) process are discussed below:
Numbers:
Here, the data is in number format. Digits can be checked using the regular expression ^[0-9]+$). In most cases there will be a minimum as well as a maximum value, to check whether the number is inside its legal range.
In web development (UK), the lack of minus sign doesn"t mean that there are no negative numbers. The presence of excessively large number in many number-reading routines will result in the rolling over of the value into a negative number. Developers" neglecting this enables attackers to overwrite critically important data.
In the case of floating point number, the normal checking routines, allow values such as "NaN" (not a number). This creates confusion later, as NaN is not equal to NaN!.
Strings:
Regular expressions are the tools that describe legal string values in case of web development (UK). The string that doesn"t match the pattern is rejected. An example is the expression ^[A-Za-z0-9]+$ that specifies that the string must be at least one character long and that it can only include upper-case letters, lower-case letters, and the digits 0 through 9 (in any order).
While using regular expressions, symbolize the beginning with ^ and end with $. Otherwise illegal data would be inserted by the attacker into the text. These symbols might vary.
The characters that can cause trouble are:
Characters with values less than 32
Includes character 0, traditionally called NUL.
It is confused with C's NULL pointer
The line ending characters can be interpreted as command endings.
Characters with values higher than 127
Often used for international characters.
Care should be taken while interpreting them, as they have many possible meanings.
They are mostly UTF-8 encoded characters with their own complications.
Metacharacters
These characters have special meanings to programs or libraries.
Characters with special meaning in the program
They are mainly characters used as delimiters. Some programs use commas, tabs, or colons; to separate the data fields in the data files. Those values must be encoded in the data. The most common problem being faced today is the less-than sign (
by: jakson
welcome to Insurances.net (https://www.insurances.net)
