Improper input validation

This article may require cleanup to meet Wikipedia's quality standards. No cleanup reason has been specified. Please help improve this article if you can. (March 2006) (Learn how and when to remove this message)

String programming is believed to be easy by programmers. This is hower not the case: several implementation / design flaws are associated with string programming, some of those are associated with security exploits.

Software programmers often assume that strings are canonical. This a fallacy.

Fallacy:

    "<script>" can only be written as "<script>"

This is not true. Many HTML processors will accept "<SPACEscript>" or "<NULscript>"

A lot of people believe that

  String1 + User_Input_String + String2

will behave in some sort of controlled manner. This is not true.

In many environments, it is possible to truncate the string with clever input.

• PHP: %00 (NUL) can terminate strings, when used for API calls that uses it to terminate strings.
• Oracle: CHR(0) (NUL) can terminate strings when used for e.g. EXECUTE IMMEDIATE.

In many environments, it is possible to "ask" the system to ignore the rest of the string, using "comment" characters.

• Many languages: /* means ignore everything until a */ combination.
• SQL: -- means ignore rest of line
• Unix shells: # means ignore rest of line

• Format string attack - *printf format strings are dangerous
• Buffer overflow - Buffer overflows often occurs in unsafe string functions
• Cross-site scripting - unsafe output of input strings
• Directory traversal - concatenating strings to create a filename is not a good idea
• SQL injection - concatenating strings to create a SQL statement is not a good idea