Secure input and output handling
Encyclopedia
Secure input and output handling are secure
programming techniques designed to prevent security bugs and the exploitation
thereof.
supplied from users, clients, or a computer network.
Secure input handling is often required to prevent vulnerabilities related to Code injection
, Directory traversal
and so on.
SQL encoding: ' OR 1=1 --' is encoded to \ \'\ OR\ 1\=1\ \-\-'
In PHP
this can be done with the function mysql_real_escape_string or with PDO::quote
In particular, to prevent SQL injection
, parameterized queries (also known as prepared statements and bind variables) are excellent for improving security while also improving code clarity and performance.
Secure output handling is primarily associated with preventing Cross-site Scripting
(XSS) vulnerabilities, but could also important in similar areas (e.g. if generating Microsoft Office documents with some API, output management could potentially be required to prevent macro-injections)
HTML encoding:
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
programming techniques designed to prevent security bugs and the exploitation
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
thereof.
Input handling
Input handling is how an application, server or other computing system handles the inputInput/output
In computing, input/output, or I/O, refers to the communication between an information processing system , and the outside world, possibly a human, or another information processing system. Inputs are the signals or data received by the system, and outputs are the signals or data sent from it...
supplied from users, clients, or a computer network.
Secure input handling is often required to prevent vulnerabilities related to Code injection
Code injection
Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce code into a computer program to change the course of execution. The results of a code injection attack can be disastrous...
, Directory traversal
Directory traversal
A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs....
and so on.
Encode (escape) input
To keep malicious inputs contained, any inputs written to the database need to be encoded.SQL encoding: ' OR 1=1 --' is encoded to \ \'\ OR\ 1\=1\ \-\-'
In PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
this can be done with the function mysql_real_escape_string or with PDO::quote
Other solutions
There may be other solutions, depending on which programming language is used and what type of code injection is being prevented. E.g., the htmLawed PHP script can be used to remove cross-site scripting code.In particular, to prevent SQL injection
SQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
, parameterized queries (also known as prepared statements and bind variables) are excellent for improving security while also improving code clarity and performance.
Output handling
Output handling is how an application, server or system handles the output (e.g. generating HTML, printing, logging, ...). It is important to keep in mind output often contains input supplied from users, clients, network, databases etc.Secure output handling is primarily associated with preventing Cross-site Scripting
Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
(XSS) vulnerabilities, but could also important in similar areas (e.g. if generating Microsoft Office documents with some API, output management could potentially be required to prevent macro-injections)
Encode (escape) output
"Encoding" processes content that is about to be output so that any potentially dangerous characters are made safe. Characters from a typical known safe charset for the particular destination medium are often left as they are. A simple encoding might leave alone alphanumerics a-z, A-Z and 0-9. Any other characters could be possibly interpreted in an unexpected manner, and are therefore replaced with the appropriate "encoded" representation.HTML encoding: