Presentation is loading. Please wait.

Presentation is loading. Please wait.

Form Validator “Hasta La Vista SQL Injection”. Their Job, Our Job, It’s Job Chris Anley mentions Four Best- Practices to Avoid SQL Injection Chris Anley.

Published byDeborah Morgan Modified over 9 years ago

Similar presentations

Presentation on theme: "Form Validator “Hasta La Vista SQL Injection”. Their Job, Our Job, It’s Job Chris Anley mentions Four Best- Practices to Avoid SQL Injection Chris Anley."— Presentation transcript:

1 Form Validator “Hasta La Vista SQL Injection”

2 Their Job, Our Job, It’s Job Chris Anley mentions Four Best- Practices to Avoid SQL Injection Chris Anley mentions Four Best- Practices to Avoid SQL Injection –Three are Sys. Admin and DBA tasks –Only one is related exclusively to coding –Comprehensive Input Validation That’s what the Form Validator does! That’s what the Form Validator does!

3 You’re Not Saying…?!? No, this is NOT the silver bullet for security or even just SQL Injection. No, this is NOT the silver bullet for security or even just SQL Injection. Comprehensive Input Validation Comprehensive Input Validation –“Comprehensive” now may not be tomorrow. –Your “Comprehensive” may be more than mine. We need a foundation on which to build. We need a foundation on which to build.

4 Another “Perfectly Conceived” Acronym FDF originally stood for Form DeFinition FDF originally stood for Form DeFinition –Hideously Stupid Could stand for Form Definition File Could stand for Form Definition File –I Like this One Whatever you call it, here lies the building blocks of the Form Validator - XML Whatever you call it, here lies the building blocks of the Form Validator - XML

5 Form Definition File Built on XML Built on XML Makes use of a set of pre-defined tags to create rules for a form and elements on that form. Makes use of a set of pre-defined tags to create rules for a form and elements on that form. Each FDF file (after the ?XML tag) begins with the fdf tag. Each FDF file (after the ?XML tag) begins with the fdf tag. Structure of all of the tags under fdf… Structure of all of the tags under fdf…

6 From to From to fdf fdf –form –return –group (optional) id id required required total total –rule (optional groupid = “ ”) display display field field length length type type required required

7 Elements Explained… form form –Describes the name of the form which the validator is validating. –XML syntax – “ … ” return return –Describes the URL of the page which contains the above form. –XML syntax – “ … ”

8 Grouped Fields Need an “Outta”? Need an “Outta”? group group –Contains the information for a particular set of grouped fields. –XML syntax <group><id>…</id><required>…</required><total>…</total></group> Optional “groupid” Attribute Optional “groupid” Attribute

9 Form Validator – Ruler of the Form The individual rules for each form element. The individual rules for each form element. rule rule –Contains the information for a particular form field. –XML syntax <rule> … … </rule>

10 Grouped By Group ID The “groupid” attribute can be given to a rule to associate it to a group of rules. The “groupid” attribute can be given to a rule to associate it to a group of rules. For example For example<group><id>…</id></group> …</rule>

11 Stick Together and We’ll Make It Through All … tags must be together before all … tags. All … tags must be together before all … tags. The format is The format is<group>…</group><group>…</group><rule>…</rule><rule>…</rule><rule>…</rule>

12 Sample FDF <fdf><form>frmSave</form><return>index.cfm?subap=Lubay&action=EditItem&ItemID=#ItemID#</return><group> group1 group1 1 1 2 2 </group> Title Title txtItemName txtItemName 50 50 Char Char 1 1 </rule> Description Description txtDescription txtDescription 500 500 Char Char 1 1 </rule><rule> Name Name txtName txtName 20 20 Char Char 0 0 </rule></fdf>

13 Pause for Effect Normal Form System Methodology Normal Form System Methodology Form PostedSQL Generated SQL Run on DB

14 Pause for Effect Form Validator System Form Validator System Form PostedSQL GeneratedSQL Run on DBChecked Against FDF All you have to do is plug in the Form Validator. All you have to do is plug in the Form Validator.

15 How to “Plug It In” Find the file to which a form is posted Find the file to which a form is posted Before ANY action is taken with that data (i.e. it is dynamically placed in a SQL query) call the Form Validator Before ANY action is taken with that data (i.e. it is dynamically placed in a SQL query) call the Form Validator Example Call Example Call If all of the data submitted is valid according to the FDF rules, then nothing happens and the action on the data will take place. If all of the data submitted is valid according to the FDF rules, then nothing happens and the action on the data will take place. If any of the data submitted is not valid… If any of the data submitted is not valid…

16 Watch Out! A Boomerang! If any of the data submitted is not valid, then the page pointed to by the URL in the … tag in the FDF needs to be ready to receive: If any of the data submitted is not valid, then the page pointed to by the URL in the … tag in the FDF needs to be ready to receive: –h_’ ’ hidden form fields which contains all data fields submitted to the validator. –err_’ ’ hidden form fields which contain an error message for each field that failed validation.

17 Another Look… Form Validator System Form Validator System Form PostedSQL GeneratedSQL Run on DBChecked Against FDF Form Fields h_ and err_ Form Fields Valid Form Fields

18 Example Form Code <input type="text" name="txtItemName" value="#h_txtItemName#" > value="#h_txtItemName#" ><br> #err_txtItemName# #err_txtItemName# Steps to receive erred form data from the Form Validator Steps to receive erred form data from the Form Validator –Check for the presence of h_field-name and set the value of the form element that equal to it. –Check for the presence of err_field-name and output the error in some way if it exists. –Check for the presence of err_group-id. Whenever you have set up a group by using the … tags in the FDF, the form needs to be set up to receive errors which happen at the group level. They will be stored in the “err_ ” form field.

19 Form Validator Summary Create Form Definition File Create Form Definition File Call Form Validator before using the Form elements Call Form Validator before using the Form elements Create the Form in such a way that it is capable of filling in the form elements with posted data and displaying the error messages associated with bad fields. Create the Form in such a way that it is capable of filling in the form elements with posted data and displaying the error messages associated with bad fields.

20 Form Validator Questions? Questions?

Download ppt "Form Validator “Hasta La Vista SQL Injection”. Their Job, Our Job, It’s Job Chris Anley mentions Four Best- Practices to Avoid SQL Injection Chris Anley."

Similar presentations

Web Development & Design Foundations with XHTML

Web Development & Design Foundations with XHTML
Apache Struts Technology

Apache Struts Technology
Standards and Increasing Maintainability on Web- based Systems James Eaton SE4112/16/2006.

Standards and Increasing Maintainability on Web- based Systems James Eaton SE4112/16/2006.
An Introduction to XML Based on the W3C XML Recommendations.

An Introduction to XML Based on the W3C XML Recommendations.
Lecture 14 HTML Forms CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.

Lecture 14 HTML Forms CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.
Video, audio, embed, iframe, HTML Form

Video, audio, embed, iframe, HTML Form
NMD202 Web Scripting Week5. What we will cover today PHPmyAdmin Debugging – using print_r Modifying Data PHP (cont.) 4D Methodology File and IO operations.

NMD202 Web Scripting Week5. What we will cover today PHPmyAdmin Debugging – using print_r Modifying Data PHP (cont.) 4D Methodology File and IO operations.
Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.

Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.
Tutorial 6 Working with Web Forms

Tutorial 6 Working with Web Forms
Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.

Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.
Tutorial 6 Working with Web Forms. XP Objectives Explore how Web forms interact with Web servers Create form elements Create field sets and legends Create.

Tutorial 6 Working with Web Forms. XP Objectives Explore how Web forms interact with Web servers Create form elements Create field sets and legends Create.
Creating Web Page Forms

Creating Web Page Forms
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Pemrograman Berbasis WEB XML part 2 -Aurelio Rahmadian- Sumber: w3cschools.com.

Pemrograman Berbasis WEB XML part 2 -Aurelio Rahmadian- Sumber: w3cschools.com.
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.

Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.
XP Tutorial 6New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Creating Web Page Forms Designing a Product Registration Form Tutorial.

XP Tutorial 6New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Creating Web Page Forms Designing a Product Registration Form Tutorial.
XP Tutorial 6New Perspectives on HTML and XHTML, Comprehensive 1 Creating Web Page Forms Designing a Product Registration Form Tutorial 6.

XP Tutorial 6New Perspectives on HTML and XHTML, Comprehensive 1 Creating Web Page Forms Designing a Product Registration Form Tutorial 6.
1 Creating Web Forms in HTML Web forms collect information from customers Web forms include different control elements including: –Input boxes –Selection.

1 Creating Web Forms in HTML Web forms collect information from customers Web forms include different control elements including: –Input boxes –Selection.

Similar presentations

Ads by Google