Difference between revisions of "Input Validation"
From OWASP
(Reverting to last version not containing links to www.textzeltrors.com) |
|||
| Line 1: | Line 1: | ||
{{Template:Control}} | {{Template:Control}} | ||
{{Template:Stub}} | {{Template:Stub}} | ||
| − | + | {{taggedDocument | |
| + | | type=inactiveDraft | ||
| + | | lastRevision=2016-07-27 | ||
| + | | comment=Content is poor | ||
| + | }} | ||
<br> | <br> | ||
[[Category:OWASP ASDR Project]] | [[Category:OWASP ASDR Project]] | ||
Latest revision as of 02:06, 28 July 2016
This is a control. To view all control, please see the Control Category page.
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
This page contains draft content that has never been finished. Please help OWASP update this content! See FixME.
Last revision (yyyy-mm-dd): 2016-07-27
Comment: Content is poor
Last revision (yyyy-mm-dd): 2016-07-27
Comment: Content is poor
Using black and/or white lists which defines valid input data. Such approach is more accurate and provides better risk analysis, when there is need of modification of the lists.
E.g. When we expect digits as an input, then we should perform accurate input data validation.
#include <stdio.h>
#include <ctype.h>
#include <string.h>
int main(int argc, char **argv)
{
char a[256];
strncpy(a, argv[1], sizeof(a)-1);
int b=0;
for(b=0; b<strlen(a); b++) {
if(isdigit((int)a[b])) printf("%c", a[b]);
}
printf("\n");
return 0;
}
In PHP for input data validation we may use e.g. preg_match() function:
<?php
$clean = array();
if (preg_match("/^[0-9]+:[X-Z]+$/D", $_GET['var'])) {
$clean['var'] = $_GET['var'];
}
?>
For special attention deserves modifier "/D", which additionally protects against HTTP Response Splitting type of attacks.
Avoid using of environment variables if the attacker may alter their values.
Check Category:Input Validation for contents
