By Richard Lindberg, aka RiBiNiN, CastleCops Staff Writer
October 20, 2006
A couple of years ago the Santy worm was a big problem on phpBB systems. This was a bug that allowed a Perl script to be placed in a text comment and when the text was viewed the script ran. Websites were defaced and in some cases simply abandoned because they couldn’t be rebuilt without more effort than the owner wished to expend.
What is proper validation for a text field? This is a tough situation for the developer. If it is too loose, you can get SQL injection or cross site scripting problems. If it is too tight, you get user complaints.
Consider this code.function isSafeText($Text)
{
if (ereg("<|%|'", $Text))
{
return false;
}
return true;
}
Not allowing these three characters will protect you from almost all the possible text field problems. The problem is that it can’t fail to annoy people writing comments since there are perfectly valid reasons that one or the other of these characters might be part of what they wrote. Besides that, it does nothing about SPAM in comments.
Are there any general rules that can be applied to free-form text fields?
* * * * *
Last time I asked what the coding error was that made it likely that bugs would be introduced when the code was maintained. There were two problems.
The first was that there are two attributes that need to be checked and I tried to check them both before the function using them was called. That’s fine for checking that the parameter exists, but not for its content. That should be done within the function.
The second was that I made the assumption that the output message would be two characters longer than the sum of the lengths of the input parameters. That’s right [b]now[/b] but may not be in the future.
