Jump to content

Improper input validation

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Blaufish (talk | contribs) at 22:07, 4 March 2006. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

String programming is believed to be easy by programmers. This is hower not the case: several implementation / design flaws are associated with string programming, some of those are associated with security exploits.

Canonicalization problems

Software programmers often assume that strings are canonical. This a fallacy.

Example: HTML tags are not canonical

Fallacy: 

    "<script>" can only be written as "<script>"

This is not true. Many HTML processors will accept "<SPACEscript>" or "<NULscript>"

Concatenation problems

A lot of people believe that 

  String1 + User_Input_String + String2

will behave in some sort of controlled manner. This is not true.

String termination

In many environments, it is possible to truncate the string with clever input.

  • PHP: %00 (NUL) can terminate strings, when used for API calls.
  • Oracle: CHR(0) (NUL) can terminate strings when used for e.g. EXECUTE IMMEDIATE.

Comment out characters

In many environments, it is possible to "ask" the system to ignore the rest of the string, using "comment" characters.

  • Many languages: /* means ingore everything until a */ combination.
  • SQL: -- means ignore rest of line
  • Unix shells: # means ignore rest of line
Retrieved from "https://en.wikipedia.org/w/index.php?title=Improper_input_validation&oldid=42248325"