Form Validator “Hasta La Vista SQL Injection”. Their Job, Our Job, It’s Job Chris Anley mentions Four Best- Practices to Avoid SQL Injection Chris Anley.

Slides:



Advertisements
Similar presentations
Web Development & Design Foundations with XHTML
Advertisements

Apache Struts Technology
Standards and Increasing Maintainability on Web- based Systems James Eaton SE4112/16/2006.
An Introduction to XML Based on the W3C XML Recommendations.
Lecture 14 HTML Forms CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.
Video, audio, embed, iframe, HTML Form
NMD202 Web Scripting Week5. What we will cover today PHPmyAdmin Debugging – using print_r Modifying Data PHP (cont.) 4D Methodology File and IO operations.
Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.
Tutorial 6 Working with Web Forms
Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.
Tutorial 6 Working with Web Forms. XP Objectives Explore how Web forms interact with Web servers Create form elements Create field sets and legends Create.
Creating Web Page Forms
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Pemrograman Berbasis WEB XML part 2 -Aurelio Rahmadian- Sumber: w3cschools.com.
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.
XP Tutorial 6New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Creating Web Page Forms Designing a Product Registration Form Tutorial.
XP Tutorial 6New Perspectives on HTML and XHTML, Comprehensive 1 Creating Web Page Forms Designing a Product Registration Form Tutorial 6.
1 Creating Web Forms in HTML Web forms collect information from customers Web forms include different control elements including: –Input boxes –Selection.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
CIS 375—Web App Dev II ASP.NET 2 Introducing Web Forms.
Tutorial 14 Working with Forms and Regular Expressions.
Server-side Scripting Powering the webs favourite services.
Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.
SAS Workshop Lecture 1 Lecturer: Annie N. Simpson, MSc.
Introduction to XML cs3505. References –I got most of this presentation from this site –O’reilly tutorials.
HTML, XHTML, and CSS Chapter 12 Creating and Using XML Documents.
CREATED BY ChanoknanChinnanon PanissaraUsanachote
XML Overview. Chapter 8 © 2011 Pearson Education 2 Extensible Markup Language (XML) A text-based markup language (like HTML) A text-based markup language.
Robinson_CIS_285_2005 HTML FORMS CIS 285 Winter_2005 Instructor: Mary Robinson.
Bare bones notes. Suggested organization for main folder. REQUIRED organization for the 115 folder.
1.  Describe the anatomy of a web page  Format the body of a web page with block-level elements including headings, paragraphs, lists, and blockquotes.
The RunTimeTester - where to now? Eric NZUOBONTANE Peter SHERWOOD Brinick SIMMONS 29 th July 2004.
PHP meets MySQL.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
Creating Dynamic Web Pages Using PHP and MySQL CS 320.
SYST Web Technologies SYST Web Technologies Databases & MySQL.
 2008 Pearson Education, Inc. All rights reserved Introduction to XHTML.
Basic Validation of DICOM objects using DVTk
ITCS373: Internet Technology Lecture 5: More HTML.
Creating PHPs to Insert, Update, and Delete Data CS 320.
Web Development & Design Foundations with XHTML Chapter 2 HTML/XHTML Basics.
Tutorial 6 Working with Web Forms. XP Objectives Explore how Web forms interact with Web servers Create form elements Create field sets and legends Create.
Tutorial 6 Working with Web Forms. 2New Perspectives on HTML, XHTML, and XML, Comprehensive, 3rd Edition Objectives Explore how Web forms interact with.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Creating Web Page Forms. Introducing Web Forms Web forms collect information from users Web forms include different control elements including: –Input.
Copyright © Terry Felke-Morris WEB DEVELOPMENT & DESIGN FOUNDATIONS WITH HTML5 7 TH EDITION Chapter 9 Key Concepts 1 Copyright © Terry Felke-Morris.
HTML ( HYPER TEXT MARK UP LANGUAGE ). What is HTML HTML describes the content and format of web pages using tags. Ex. Title Tag: A title It’s the job.
Schematron Tim Bornholtz. Schema languages Many people turn to schema languages when they want to be sure that an XML instance follows certain rules –DTD.
HTML.
Copyright © Terry Felke-Morris WEB DEVELOPMENT & DESIGN FOUNDATIONS WITH HTML5 Chapter 9 Key Concepts 1 Copyright © Terry Felke-Morris.
INT222 - Internet Fundamentals Shi, Yue (Sunny) Office: T2095 SENECA COLLEGE.
©SoftMooreSlide 1 Introduction to HTML: Forms ©SoftMooreSlide 2 Forms Forms provide a simple mechanism for collecting user data and submitting it to.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Tutorial 6 Working with Web Forms. 2New Perspectives on HTML, XHTML, and XML, Comprehensive, 3rd Edition Objectives Explore how Web forms interact with.
XML DTD. XML Validation XML with correct syntax is "Well Formed" XML. XML validated against a DTD is "Valid" XML.
Creating Web Page Forms COE 201- Computer Proficiency.
Netprog CGI and Forms1 CGI and Forms A detailed look at HTML forms.
Chapter 5 Introduction To Form Builder. Lesson C Objectives  Use sequences to automatically generate primary key values in a form  Create lists of values.
Struts2 Validation using XML Approach. May 12, 2011 Need For Validation Validation can be defined as the assessment of an action so as to ensure that.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Configuring MQ Connections and Handlers for MQ adapter 6.5 July 2008.
XP Tutorial 6New Perspectives on HTML, XHTML, and DHTML, Comprehensive 1 Creating Web Page Forms Designing a Product Registration Form Tutorial 6.
2440: 141 Web Site Administration Web Forms Instructor: Joseph Nattey.
In this session, you will learn to:
PHP Functions Besides the built-in PHP functions, we can create our own functions. A function is a block of statements that can be used repeatedly in.
HTML Forms and User Input
Teaching slides Chapter 6.
Presentation transcript:

Form Validator “Hasta La Vista SQL Injection”

Their Job, Our Job, It’s Job Chris Anley mentions Four Best- Practices to Avoid SQL Injection Chris Anley mentions Four Best- Practices to Avoid SQL Injection –Three are Sys. Admin and DBA tasks –Only one is related exclusively to coding –Comprehensive Input Validation That’s what the Form Validator does! That’s what the Form Validator does!

You’re Not Saying…?!? No, this is NOT the silver bullet for security or even just SQL Injection. No, this is NOT the silver bullet for security or even just SQL Injection. Comprehensive Input Validation Comprehensive Input Validation –“Comprehensive” now may not be tomorrow. –Your “Comprehensive” may be more than mine. We need a foundation on which to build. We need a foundation on which to build.

Another “Perfectly Conceived” Acronym FDF originally stood for Form DeFinition FDF originally stood for Form DeFinition –Hideously Stupid Could stand for Form Definition File Could stand for Form Definition File –I Like this One Whatever you call it, here lies the building blocks of the Form Validator - XML Whatever you call it, here lies the building blocks of the Form Validator - XML

Form Definition File Built on XML Built on XML Makes use of a set of pre-defined tags to create rules for a form and elements on that form. Makes use of a set of pre-defined tags to create rules for a form and elements on that form. Each FDF file (after the ?XML tag) begins with the fdf tag. Each FDF file (after the ?XML tag) begins with the fdf tag. Structure of all of the tags under fdf… Structure of all of the tags under fdf…

From to From to fdf fdf –form –return –group (optional) id id required required total total –rule (optional groupid = “ ”) display display field field length length type type required required

Elements Explained… form form –Describes the name of the form which the validator is validating. –XML syntax – “ … ” return return –Describes the URL of the page which contains the above form. –XML syntax – “ … ”

Grouped Fields Need an “Outta”? Need an “Outta”? group group –Contains the information for a particular set of grouped fields. –XML syntax <group><id>…</id><required>…</required><total>…</total></group> Optional “groupid” Attribute Optional “groupid” Attribute

Form Validator – Ruler of the Form The individual rules for each form element. The individual rules for each form element. rule rule –Contains the information for a particular form field. –XML syntax <rule> … … </rule>

Grouped By Group ID The “groupid” attribute can be given to a rule to associate it to a group of rules. The “groupid” attribute can be given to a rule to associate it to a group of rules. For example For example<group><id>…</id></group> …</rule>

Stick Together and We’ll Make It Through All … tags must be together before all … tags. All … tags must be together before all … tags. The format is The format is<group>…</group><group>…</group><rule>…</rule><rule>…</rule><rule>…</rule>

Sample FDF <fdf><form>frmSave</form><return>index.cfm?subap=Lubay&action=EditItem&ItemID=#ItemID#</return><group> group1 group </group> Title Title txtItemName txtItemName Char Char 1 1 </rule> Description Description txtDescription txtDescription Char Char 1 1 </rule><rule> Name Name txtName txtName Char Char 0 0 </rule></fdf>

Pause for Effect Normal Form System Methodology Normal Form System Methodology Form PostedSQL Generated SQL Run on DB

Pause for Effect Form Validator System Form Validator System Form PostedSQL GeneratedSQL Run on DBChecked Against FDF All you have to do is plug in the Form Validator. All you have to do is plug in the Form Validator.

How to “Plug It In” Find the file to which a form is posted Find the file to which a form is posted Before ANY action is taken with that data (i.e. it is dynamically placed in a SQL query) call the Form Validator Before ANY action is taken with that data (i.e. it is dynamically placed in a SQL query) call the Form Validator Example Call Example Call If all of the data submitted is valid according to the FDF rules, then nothing happens and the action on the data will take place. If all of the data submitted is valid according to the FDF rules, then nothing happens and the action on the data will take place. If any of the data submitted is not valid… If any of the data submitted is not valid…

Watch Out! A Boomerang! If any of the data submitted is not valid, then the page pointed to by the URL in the … tag in the FDF needs to be ready to receive: If any of the data submitted is not valid, then the page pointed to by the URL in the … tag in the FDF needs to be ready to receive: –h_’ ’ hidden form fields which contains all data fields submitted to the validator. –err_’ ’ hidden form fields which contain an error message for each field that failed validation.

Another Look… Form Validator System Form Validator System Form PostedSQL GeneratedSQL Run on DBChecked Against FDF Form Fields h_ and err_ Form Fields Valid Form Fields

Example Form Code <input type="text" name="txtItemName" value="#h_txtItemName#" > value="#h_txtItemName#" ><br> #err_txtItemName# #err_txtItemName# Steps to receive erred form data from the Form Validator Steps to receive erred form data from the Form Validator –Check for the presence of h_field-name and set the value of the form element that equal to it. –Check for the presence of err_field-name and output the error in some way if it exists. –Check for the presence of err_group-id. Whenever you have set up a group by using the … tags in the FDF, the form needs to be set up to receive errors which happen at the group level. They will be stored in the “err_ ” form field.

Form Validator Summary Create Form Definition File Create Form Definition File Call Form Validator before using the Form elements Call Form Validator before using the Form elements Create the Form in such a way that it is capable of filling in the form elements with posted data and displaying the error messages associated with bad fields. Create the Form in such a way that it is capable of filling in the form elements with posted data and displaying the error messages associated with bad fields.

Form Validator Questions? Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.