Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should you do validation checks that go outside the possiblility of normal user activity?

Tags:

php

mysql

I am thinking about form security a lot lately. I have been told time and time again to check if form input is a number if you are expecting a number or escape it in case (unless you use proper mysqli formatting) to avoid injection.

After the safety checks are done, should I do additional logic checks? For example, if the user is sending a friend request to them-self for example even if my user interface will not show the form if the user is looking at their own page.

like image 712
Scarface Avatar asked Apr 10 '10 03:04

Scarface


3 Answers

Anything you do in HTML or JavaScript is not sufficient to prevent someone from posting data directly to your HTTP server. So treat anything that is sent by the browser (even cookies!) as "user input" and guard accordingly.

Because even though your form may not allow me to send a friend request to myself, if I'm running Fiddler I can just set a breakpoint, change a POST variable, then resume the request and your server has no idea.

In fact, that's a great eye opening exercise. If you go download Fiddler you can watch everything that the browser sends or receives with your web site. Anything being sent by the browser should not be implicitly trusted.

like image 111
Josh Avatar answered Sep 19 '22 13:09

Josh


Yes you should. Haven't we noticed a pattern in some site's URL's and then copied the url but changed some part to get around some restriction in the site bypassing login/access control? Do you want your site to be susceptible to that too?

like image 26
naumcho Avatar answered Sep 18 '22 13:09

naumcho


Of course.

You can't go far enough validating input. Treat it as garbage and plan accordingly. If you want everything to work smoothly make sure that everything checks out.

like image 41
Josh K Avatar answered Sep 21 '22 13:09

Josh K