I am thinking about form security a lot lately. I have been told time and time again to check if form input is a number if you are expecting a number or escape it in case (unless you use proper mysqli formatting) to avoid injection.
After the safety checks are done, should I do additional logic checks? For example, if the user is sending a friend request to them-self for example even if my user interface will not show the form if the user is looking at their own page.
Anything you do in HTML or JavaScript is not sufficient to prevent someone from posting data directly to your HTTP server. So treat anything that is sent by the browser (even cookies!) as "user input" and guard accordingly.
Because even though your form may not allow me to send a friend request to myself, if I'm running Fiddler I can just set a breakpoint, change a POST variable, then resume the request and your server has no idea.
In fact, that's a great eye opening exercise. If you go download Fiddler you can watch everything that the browser sends or receives with your web site. Anything being sent by the browser should not be implicitly trusted.
Yes you should. Haven't we noticed a pattern in some site's URL's and then copied the url but changed some part to get around some restriction in the site bypassing login/access control? Do you want your site to be susceptible to that too?
You can't go far enough validating input. Treat it as garbage and plan accordingly. If you want everything to work smoothly make sure that everything checks out.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With