Web Programming Week 8 Old Dominion University Department of Computer Science CS 418/518 Fall 2007 Michael L. Nelson <mln@cs.odu.edu> 10/15/07

Server-Side Input Validation Client-side input validation is nice but not a replacement for server-side validation client-side security == no security malicious or broken clients client-side (Javascript) examples: http://www.codeave.com/javascript/category.asp?u_category=Forms Server-side can be built using: empty(), is_numeric(), is_string(), is_bool(), is_array(), is_object(), etc. http://us2.php.net/manual/en/ref.var.php

Escaping HTML <?php $orig = "I'll \"walk\" the <b>dog</b> now"; $a = htmlentities($orig); $b = html_entity_decode($a); echo $a; // I'll "walk" the <b>dog</b> now echo $b; // I'll "walk" the <b>dog</b> now ?> See http://us2.php.net/manual/en/function.html-entity-decode.php Also: Type-2 XSS Attack: http://en.wikipedia.org/wiki/Cross-site_scripting And: http://en.wikipedia.org/wiki/Category:Lightweight_markup_language

Separate URI to Handle Errors … if (empty($var1) { $errors .= "$var1 should not be empty"; } if (!is_numeric($var2) { $errors .= "$var2 should be a number"; // check all anticipated error conditions if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header("Location: http://foo.edu/error.php?error=$errors");

Same URI to Handle Errors … if (empty($var1) { $errors .= "$var1 should not be empty"; } if (!is_numeric($var2) { $errors .= "$var2 should be a number"; // check all anticipated error conditions if (empty($errors)) { // do interesting work } else { internal_error_function($errors); function internal_error_function ($errors) { // generate pretty HTML response // provide link to start over

Same URI with Error Argument … if (empty($var1) { $errors .= "$var1 should not be empty"; } if (!is_numeric($var2) { $errors .= "$var2 should be a number"; // check all anticipated error conditions if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header("Location:".$_SERVER["REQUEST_URI"]."?errors=$errrors";

Encoding/Decoding URLs RFC-1738 requires “unsafe” and “reserved” characters to be encoded in URIs: http://www.rfc-editor.org/rfc/rfc1738.txt Reserved examples “/”, “:”, “?”… Unsafe examples [space], “%”, “#”… PHP urlencode(), urldecode() http://us2.php.net/manual/en/function.urlencode.php http://us2.php.net/manual/en/function.urldecode.php More info: http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

Regular Expressions More Info: http://us2.php.net/regex if ( !ereg ("([0-9]{2})-([0-9]{2})-([0-9]{4})", $_POST['movie_release'] , $reldatepart) ) { $error .= "Please+enter+a+date+with+the+dd-mm-yyyy+format"; } if $_POST['movie_release'] == 31-05-1969 then: $reldatepart[0] = 31-05-1969 $reldatepart[1] = 31 $reldatepart[2] = 05 $reldatepart[3] = 1969

Date/Time More info: http://us2.php.net/manual/en/ref.datetime.php $movie_release = mktime ( 0, 0, 0, $reldatepart['2'], $reldatepart['1'], $reldatepart['3']); // $seconds_since_Jan1st1970 = mktime(hour,min,sec,month,day,year)

Apache httpd.conf % less /etc/apache2/httpd.conf … # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html

SMTP Mesg PHP syntax: mail($to,$subject,$body,$headers) From mln@cs.odu.edu Mon Oct 16 14:41:35 2006 Return-Path: <mln@cs.odu.edu> Received: from ruby.ils.unc.edu (ruby.ils.unc.edu [152.2.81.1]) by cartero.cs.odu.edu (8.13.6/8.13.6) with ESMTP id k9GIfZw3001706 for <mln@cs.odu.edu>; Mon, 16 Oct 2006 14:41:35 -0400 (EDT) Received: from cartero.cs.odu.edu (cartero.cs.odu.edu [128.82.4.9]) by ruby.ils.unc.edu (8.12.11.20060308/8.12.10) with ESMTP id k9GIfYFK012598 for <mln@ils.unc.edu>; Mon, 16 Oct 2006 14:41:34 -0400 Received: from tango.cs.odu.edu (tango.cs.odu.edu [128.82.4.75]) by cartero.cs.odu.edu (8.13.6/8.13.6) with ESMTP id k9GIfYJR001703 for <mln@ils.unc.edu>; Mon, 16 Oct 2006 14:41:34 -0400 (EDT) Received: from localhost (mln@localhost) by tango.cs.odu.edu (8.12.9+Sun/8.13.5/Submit) with ESMTP id k9GIfYRf026120 X-Authentication-Warning: tango.cs.odu.edu: mln owned process doing -bs Date: Mon, 16 Oct 2006 14:41:34 -0400 (EDT) From: Michael Nelson <mln@cs.odu.edu> To: mln@ils.unc.edu Subject: test email mesg Message-ID: <Pine.GSO.4.58.0610161441010.3863@tango.cs.odu.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: R X-Status: X-Keywords: this is an email that I'm sending to myself (albeit through a different email addr). ---- Michael L. Nelson mln@cs.odu.edu http://www.cs.odu.edu/~mln/ Dept of Computer Science, Old Dominion University, Norfolk VA 23529 +1 757 683 6393 +1 757 683 4900 (f) SMTP Mesg PHP syntax: mail($to,$subject,$body,$headers)