Download presentation
Presentation is loading. Please wait.
Published byKathlyn Antonia Lang Modified over 5 years ago
1
Web Programming Week 7 Old Dominion University
Department of Computer Science CS 418/518 Fall 2007 Michael L. Nelson 10/06/08
2
Server-Side Input Validation
Client-side input validation is nice but not a replacement for server-side validation client-side security == no security malicious or broken clients client-side (Javascript) examples: Server-side can be built using: empty(), is_numeric(), is_string(), is_bool(), is_array(), is_object(), etc.
3
Escaping HTML <?php $orig = "I'll \"walk\" the <b>dog</b> now"; $a = htmlentities($orig); $b = html_entity_decode($a); echo $a; // I'll "walk" the <b>dog</b> now echo $b; // I'll "walk" the <b>dog</b> now ?> See Also: Type-2 XSS Attack: And:
4
Separate URI to Handle Errors
… if (empty($var1) { $errors .= "$var1 should not be empty"; } if (!is_numeric($var2) { $errors .= "$var2 should be a number"; // check all anticipated error conditions if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header("Location:
5
Same URI to Handle Errors
… if (empty($var1) { $errors .= "$var1 should not be empty"; } if (!is_numeric($var2) { $errors .= "$var2 should be a number"; // check all anticipated error conditions if (empty($errors)) { // do interesting work } else { internal_error_function($errors); function internal_error_function ($errors) { // generate pretty HTML response // provide link to start over
6
Same URI with Error Argument
… if (empty($var1) { $errors .= "$var1 should not be empty"; } if (!is_numeric($var2) { $errors .= "$var2 should be a number"; // check all anticipated error conditions if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header("Location:".$_SERVER["REQUEST_URI"]."?errors=$errrors";
7
Encoding/Decoding URLs
RFC-1738 requires “unsafe” and “reserved” characters to be encoded in URIs: Reserved examples “/”, “:”, “?”… Unsafe examples [space], “%”, “#”… PHP urlencode(), urldecode() More info:
8
Regular Expressions More Info: http://us2.php.net/regex
if ( !ereg ("([0-9]{2})-([0-9]{2})-([0-9]{4})", $_POST['movie_release'] , $reldatepart) ) { $error .= "Please+enter+a+date+with+the+dd-mm-yyyy+format"; } if $_POST['movie_release'] == then: $reldatepart[0] = $reldatepart[1] = 31 $reldatepart[2] = 05 $reldatepart[3] = 1969
9
Date/Time More info: http://us2.php.net/manual/en/ref.datetime.php
$movie_release = mktime ( 0, 0, 0, $reldatepart['2'], $reldatepart['1'], $reldatepart['3']); // $seconds_since_Jan1st1970 = mktime(hour,min,sec,month,day,year)
10
Apache httpd.conf % less /etc/apache2/httpd.conf … #
# Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402
11
SMTP Mesg PHP syntax: mail($to,$subject,$body,$headers)
From Mon Oct 16 14:41: Return-Path: Received: from ruby.ils.unc.edu (ruby.ils.unc.edu [ ]) by cartero.cs.odu.edu (8.13.6/8.13.6) with ESMTP id k9GIfZw for Mon, 16 Oct :41: (EDT) Received: from cartero.cs.odu.edu (cartero.cs.odu.edu [ ]) by ruby.ils.unc.edu ( / ) with ESMTP id k9GIfYFK012598 for Mon, 16 Oct :41: Received: from tango.cs.odu.edu (tango.cs.odu.edu [ ]) by cartero.cs.odu.edu (8.13.6/8.13.6) with ESMTP id k9GIfYJR001703 for Mon, 16 Oct :41: (EDT) Received: from localhost by tango.cs.odu.edu ( Sun/8.13.5/Submit) with ESMTP id k9GIfYRf026120 X-Authentication-Warning: tango.cs.odu.edu: mln owned process doing -bs Date: Mon, 16 Oct :41: (EDT) From: Michael Nelson To: Subject: test mesg Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: R X-Status: X-Keywords: this is an that I'm sending to myself (albeit through a different addr). ---- Michael L. Nelson Dept of Computer Science, Old Dominion University, Norfolk VA 23529 (f) SMTP Mesg PHP syntax: mail($to,$subject,$body,$headers)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.