Security is the top priority, be
it any type of application or software. It has an importance that keeps growing
with every phase of the software system or application development. Its
importance is also reflected in the open source and commercial projects.
Security is a very vast topic and there are many ways to implement and maintain
security for all the stages. The data filtering of user input is one such way
and this article is focused on this.
About Filtering of User Input
Being practical,
almost all the applications or software systems depend on some external
input or data to process and give out output or to start some process.
- This
input or data is supplied by the user or in some cases by some other applications
(may be bots, web services clients, and scanner and so on).
- Nobody knows what
might be the nature of the user input, it can be either harmless or it can be
malicious. - So it becomes mandatory for every developer to filter out this
incoming foreign data.
- Input filtering is one of the important processes of the
security mechanism of any application software and is independent of the
environment and language.
- Today there are so many tools available that serve
the purpose of filtering the input or data, for example, CGI for Perl.
- Foreign
data can constitute of anything ranging from a web form to the results of the
data base queries and also cookies, files, web services data, environment
variables, server variables and so on.
- The filter tools support all these kinds
of user inputs.
- The testing, validation as well as filtering of the custom or
user input data every now and then can be quite annoying as well as time and
effort consuming task.
- It is quite common that while testing the tester may
forget to write a test and if written also it might be incomplete.
- The
filtering tools and extensions help curb these types of traps.
- Usually filter
tools follow two types of filtering methodologies:
- Logical
filtering: It involves a strong and stringent analysis of the input data,
checking for the correctness of the formats and the expected type is
returned if the data passes the test.
- Sanitizing
filtering: It involves determining whether or not to allow certain
characters in a string. The data format is really not cared about in this
type of filtering and a string is always returned.
How can filters be useful?
- It is quite a misconception that
filters provide an object oriented interface. It is not so.
- There are some
filters that are also capable of turning ordinary line breaks in to effective
HTML tags.
- Using the filters you can decide which input formats are to be made
available to the users or you can put up a default format.
- While the
application is working up on the user input, keeping it as secure as possible
prevents many security hazards.
- One of the most severe security risks is
encountered whenever the full HTML is posted without being filtered.
- Most of
the PHP filters are considered to be dangerous as they allow the execution of
the code driven queries and other things on the data base of the web site.
- For
better input filtering, one needs to explore the modules for installing special
filters that allow one to embed references to other resources, videos and so
on.
- Input filtering is much similar to filtering water for drinking and other
uses.
- In some of the cases the
application functions with the malicious data also, this leads to a kind of
robustness of the application.
No comments:
Post a Comment