Page 1 of 1

When to cleanse input?

Posted: Mon Mar 24, 2008 10:26 pm
by Sequalit
When would the best place to cleanse (de css/xss) data that gets inputed into the website?

Right when you get the data in your code, such as a login script, at the top of the code before you actually process the login, or while you are processing the login

Examples

login.php

Code: Select all

 
$_SESSION'username = $this->cleanse($_POST'username);
$_SESSION'password = $this->cleanse($_POST'password);
 
processLogin($username, $password);// login function does not have to worry about currupt data, can pull directly from session
//and all other classes can pull from session without worry
 
or have it so all classes have to deal with cleansing the data themselves before they use it?

wait I already know the answer... cleanse it first so you don't have to worry about it during the rest of the code ^.^

Re: When to cleanse input?

Posted: Tue Mar 25, 2008 1:42 am
by Mordred
In the last possible moment (i.e. inside the function).
What you call "cleansing" is not a single thing you do on the input. Every function you call with user-supplied data may require its own "cleansing" mechanism. That's why you don't do it in the beginning of the script - at that point you don't know what you'll use the data for. Btw, it's actually two things called escaping and validation (I feel you're combining both in your "cleansing" term, and they are different things), the first prevents syntactic attacks and the second prevents business logic attacks.

Re: When to cleanse input?

Posted: Tue Mar 25, 2008 2:29 pm
by Sequalit
what is a business logic attack?

Ok thanks for info.

Was wondering, it would be alot easier to design a global function for escaping and one for validation, and if i have to change something change it there, instead of having to change it in every little module of my web application.

Re: When to cleanse input?

Posted: Wed Mar 26, 2008 3:46 am
by matthijs
Sequalit wrote:Was wondering, it would be alot easier to design a global function for escaping and one for validation, and if i have to change something change it there, instead of having to change it in every little module of my web application.
But that's the thing: there can not be a single global function for escaping and one for validation. That's impossible. Why? How data should be validated or escaped depends on he context.

In one layer of your system, you validate a piece of data with function X, in another layer of your system you validate that same piece of data with function Y. To give a concrete example: when you put data in a mysql db, you escape it with mysql_real_escape_strings(). if you output that same piece of data to HTML, you escape it with htmlentities(). (roughly, there's more ways)

If you think about it, it's quite logical. Say you have a piece of text with some html code. That little snippet of html doesn't do any harm when it's placed in your db. However, when it's outputted on your webpage, that same piece of HTML can be harmful.

Re: When to cleanse input?

Posted: Wed Mar 26, 2008 10:48 am
by Sequalit
aite.

Is there a resource on the web that explains each situation you should use those commands for escaping/validation?

Re: When to cleanse input?

Posted: Wed Mar 26, 2008 11:39 am
by matthijs
A good start is http://phpsecurity.org/ and the authors' site

Re: When to cleanse input?

Posted: Wed Mar 26, 2008 6:18 pm
by Sequalit
Okay thank you for those links, will get reading up on em :)

Thank you for your time and help!