which is the preferred approach in sanitizing inputs coming from the user?
thank you!
A:
Personally, I gauge the number of allowed or disallowed characters and go from there. If there are more allowed chars than disallowed, then blacklist. Else whitelist. I don't believe that there is any 'standard' that says you should do it one way or the other.
BTW, this answer is assuming you want to limit inputs into form fields such as phone numbers or names :) @posterBelow
Tommy
2010-08-24 18:25:51
so the filtering mechanism you use is by per-character basis? so what are weaknesses that you encountered in your implementation of this approach, and how did you manage to work around it? thanks!
ultrajohn
2010-08-24 18:29:43
Well I am taking this to mean, this input only has numbers(whitelist) or that input cannot ever have dashes or slashes(blacklist). If you are using this to prevent XSS and SQL injection attacks, then I would go another route (html encoding, parameterized queries). And when I do use lists, it is 99% a regex.
Tommy
2010-08-24 18:32:11
A weakness is mentioned below, in that I forgot some character. However, like I said above, I use it when I want to limit character inputs on data types, not secure the site (or perhaps in addition to, but not the sole means).
Tommy
2010-08-24 18:34:10
ok, thanks a lot! btw, can you provide some helpful links where i can learn more about this? thanks really..
ultrajohn
2010-08-24 18:38:31
Are you working on web apps or desktop apps? It also helps to look for your specific language (.NET, JAVA, RoR, PHP or JavaScript). Google your language and regex - you should find a plethora of information. Good Luck!
Tommy
2010-08-24 18:39:36
currently web apps, :)
ultrajohn
2010-08-24 18:42:46
A:
The best approach is to either use stored procedures or parameterized queries. White listing is an additional technique that is ok to prevent any injections before they reach the server, but should not be used as your primary defense. Black listing is usually a bad idea because it's usually impossible to filter out all malicious inputs.
BTW, this answer is considering you mean sanitizing as in preventing sql injection.
Chad
2010-08-24 18:28:01
A:
The answer generally is, it depends.
For inputs with clearly defined parameters (say the equivalent of a dropdown menu), I would whitelist the options and ignore anything that wasn't one of those.
For free-text inputs, it's significantly more difficult. I subscribe to the school of thought that you should just filter it as best you can so it's as safe as possible (escape HTML, etc). Some other suggestions would be to specifically disallow any invalid input - however, while this might protect against attacks, it might also affect usability for genuine users.
I think it's just a case of finding the blend that works for you. I can't think of any one solution that would work for all possibilities. Mostly it depends on your userbase.
Stephen Orr
2010-08-24 18:38:13
A:
WL is a best practice against BL whenever it is practicable.
The reason is simple: you can't be reasonably safe enumerating what it is not permitted, an attacker could always find a way you did not think about. If you can, say what is allowed for sure, it is simpler and much much safer !
AlberT
2010-08-24 18:42:41