Getting Started
Nature and Scope of the Problem
Understanding Filtering, Validation,
and Output Escaping
Preventing the Most
Common Forms of Attack
Protecting Against Common
Website Vulnerabilities
Protecting Against
SQL Injection Attacks
About the Author
LAB: Filtering and validating posted form data
Modify add member form
.
URL: http://localhost/sweetscomplete/?page=addmember
Location: /path/to/htdocs/sweetscomplete/View/addmember.php
Look for comments starting with "// ***" for clues
Add validation for all fields
.
Determine appropriate rules
Use appropriate utilities:
ctype_*, strlen(), stripos(), preg_match(), filter_var(), etc.
Implement lookup validation for "country"
Add filtering for appropriate fields
.
Determine which fields need filtering
Use appropriate utilities:
strip_tags(), str_replace(), preg_replace(), filter_var(), etc.
Add appropriate validation messages for each field
.
Add entries to $error array
Make sure invalid entries are not added to the database
.
Add an appropriate "if" statement if data is invalid
Test against attack
.
Enter invalid data
Attempt a reflected XSS attack
Check database to ensure invalid entries are not present
+
o
-