Subscribe by Email


Friday, April 27, 2012

What is meant by correct filtering of user input?


Security is the top priority, be it any type of application or software. It has an importance that keeps growing with every phase of the software system or application development. Its importance is also reflected in the open source and commercial projects. Security is a very vast topic and there are many ways to implement and maintain security for all the stages. The data filtering of user input is one such way and this article is focused on this.

About Filtering of User Input


Being practical, almost all the applications or software systems depend on some external input or data to process and give out output or to start some process. 
- This input or data is supplied by the user or in some cases by some other applications (may be bots, web services clients, and scanner and so on). 
- Nobody knows what might be the nature of the user input, it can be either harmless or it can be malicious. - So it becomes mandatory for every developer to filter out this incoming foreign data.
- Input filtering is one of the important processes of the security mechanism of any application software and is independent of the environment and language.
- Today there are so many tools available that serve the purpose of filtering the input or data, for example, CGI for Perl.
- Foreign data can constitute of anything ranging from a web form to the results of the data base queries and also cookies, files, web services data, environment variables, server variables and so on. 
- The filter tools support all these kinds of user inputs. 
- The testing, validation as well as filtering of the custom or user input data every now and then can be quite annoying as well as time and effort consuming task. 
- It is quite common that while testing the tester may forget to write a test and if written also it might be incomplete.
- The filtering tools and extensions help curb these types of traps. 
- Usually filter tools follow two types of filtering methodologies:
  1. Logical filtering: It involves a strong and stringent analysis of the input data, checking for the correctness of the formats and the expected type is returned if the data passes the test.
  2. Sanitizing filtering: It involves determining whether or not to allow certain characters in a string. The data format is really not cared about in this type of filtering and a string is always returned.

How can filters be useful?


- It is quite a misconception that filters provide an object oriented interface. It is not so. 
- There are some filters that are also capable of turning ordinary line breaks in to effective HTML tags.
- Using the filters you can decide which input formats are to be made available to the users or you can put up a default format. 
- While the application is working up on the user input, keeping it as secure as possible prevents many security hazards.
- One of the most severe security risks is encountered whenever the full HTML is posted without being filtered.
- Most of the PHP filters are considered to be dangerous as they allow the execution of the code driven queries and other things on the data base of the web site. 
- For better input filtering, one needs to explore the modules for installing special filters that allow one to embed references to other resources, videos and so on. 
- Input filtering is much similar to filtering water for drinking and other uses.
- In some of the cases the application functions with the malicious data also, this leads to a kind of robustness of the application. 


No comments:

Facebook activity