Techniques for Writing Secure Code

Validating User Input

• Never trust that user input is valid -- always check it!!!

• Only allow good input
  • Special Characters

  • HTML

  • SQL

• If possible, don't use user input in any executed statements in your program

  Example (ok, could be spiffier) : Say you want to show the user the grades
  for a certain class, and create a prompt on your web form:

  
          Course : AAA3000' and course = 'AAA4000
  
          

  The string

   
          AAA3000' and course = 'AAA4000 
          

  is placed in the $course variable.

  When the $course variable is substituted into the SQL statement

          select grades from grades_table where course = '$course';
          

  it becomes

          select grades from grades_table where course = 'AAA3000' and course = 'AAA4000';
          

  Oops.

• Don't ask for info you can look up

  If the user has authenticated (say, with Gatorlink), perform a lookup
  on user information (say, in the UF directory) instead of having the
  user input it. While directory info may not be perfect, it's correctable
  in one place, as opposed to users entering the wrong data over and over
  again.