Mar 06, 2013; 11:55
Jussi Hirvi
Canonicalization of form input
On 6.3.2013 9.57, Steve Piercy - Web Site Builder wrote:> If you really
want to make web applications secure, you should start by
> reading this.
> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The following is from
https://www.owasp.org/index.php/A1_2004_Unvalidated_Input
> Parameters should be validated against a =93positive=94 specification
that defines:
>
> Data type (string, integer, real, etc=85)
> Allowed character set
> Minimum and maximum length
> Whether null is allowed
> Whether the parameter is required or not
> Whether duplicates are allowed
> Numeric range
> Specific legal values (enumeration)
> Specific patterns (regular expressions)
I would be interested to hear about standard practices on Lasso, even on
code level.
Example: process in put to field labeled "First Name".
How safe am I (in terms of malicious attacks), if I do simply:
var('firstname') = action_param('firstname');
inline(-add,$myDbConfig,-table=blabla,'firstname'=$firstname);
/inline;
- Jussi
#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso
Lasso@lists.lassosoft.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>
Mar 06, 2013; 10:12
Jolle Carlestam
Re: Canonicalization of form input
Mar 06, 2013; 02:34
Steve Piercy - Web Site Builder
Re: Canonicalization of form input