String security Validation?

Forum Moderators: coopster

Message Too Old, No Replies

String security Validation?

Looking for basic tips to validate string inputs

markHulb

4:20 am on Apr 23, 2008 (gmt 0)

Hello All First post here,
I am building a simple Ecommerce site where users pick from a limited number of products to buy. All SQL based. I have build these before but none have actually processed credit cards.
Ive read over a few posts im sure ill have some more specific question on that topic soon.

But for now i was hoping if there were some scripts or examples of ways to validate user input into forms. What things should i be checking for. Like SQL injection?
thanks for your time
-Mark

markHulb

4:33 am on Apr 23, 2008 (gmt 0)

Double post sorry
I found this post [webmasterworld.com...]
some good info there.

dreamcatcher

2:05 pm on Apr 23, 2008 (gmt 0)

Hi markHulb, welcome to WebmasterWorld. :)

You might also find the following useful:
[phpsec.org...]

Chris Shiflett`s website is also full of useful tips:
[shiflett.org...]

markHulb

7:18 pm on Apr 23, 2008 (gmt 0)

Thanks for the links dc, Chris Shiflett stated in one of his articles, besides checking from a know set of "clean" values using mysql_real_escape_string() would be a good method of checking user input.
Ne thing more i need to use?

jatar_k

7:48 pm on Apr 23, 2008 (gmt 0)

only allow expected values and if there is anything that comes that is not in the expected set then send the whole thing back to the user to correct

willybfriendly

8:39 pm on Apr 23, 2008 (gmt 0)

only allow expected values and if there is anything that comes that is not in the expected set then send the whole thing back to the user to correct ...

I would emphasize this point.

You should know pretty well what kind of data will sow in each field on a form. Screen each field by type (alpha, numeric, both, etc.) and length. A US zip code, for instance, will either be 5 digits or 5 digits, a hyphen, and 4 more digits. A phone (depending on filed layout) 3 digits, 3 digits, and 4 digits.

I like to screen browser side first, and then again server side. It is possible to "auto-correct" some entries doing this, such as stripping or converting "alternate" characters (periods rather than hyphens in a phone number, spaces in a credit card number, etc.).

Use meaningful error messages for the user.

Be prepared for odd things like accented letters, hyphens or apostrophes in names (O'Donnell, Smith-Barney, etc.).

Your error checking routines will probably end up being a significant percentage of your code.

g1smd

7:57 pm on Apr 26, 2008 (gmt 0)

When talking about ZIP code and telephone numbers be aware that other countries use different formats, and different number of digits/characters.