Welcome! Log In Create A New Profile


limiting the input length

Posted by 44024738_tai 
Announcements Last Post
Announcement SoC Curricula 09/30/2017 01:08PM
Announcement Demarcation or scoping of examinations and assessment 02/13/2017 07:59AM
Announcement School of Computing Short Learning Programmes 11/24/2014 08:37AM
Announcement Unisa contact information 07/28/2011 01:28PM
limiting the input length
October 10, 2012 01:13PM
Are there marks in the marking rubric for using specifically PHP to limit the input length of say, the username field???.
I am asking because using the html maxlength attribute on the input box works so much better.
Also because I am using the POST method the user can't inject SQL in the browser URL.
Re: limiting the input length
October 10, 2012 01:34PM
I suppose since this is PHP course not HTML or JavaScript we have to use PHP were we can. I had the same problem. I used PHP where ever I can.
Re: limiting the input length
October 10, 2012 02:56PM
PHP preferred, but HTML OK/
POST does not mean they can't inject
Re: limiting the input length
October 10, 2012 03:06PM
Ok I will use PHP for some input validation and HTML for other smiling smiley Also, I would like to say that it's fantastic to be able to be in contact with the lecturer like we can here with mac.. I wish my other lecturers were so readily available to help. Thanks mac
avatar Re: limiting the input length
October 12, 2012 10:13PM
/me concur
Re: limiting the input length
October 18, 2012 12:59PM
NEVER NEVER NEVER NEVER NEVER do your validation on client side only.

Your opening yourself up for major issues. Client side validation should serve the sole purpose of enhancing user experience (Avoiding the postback before errors are displayed). You should never rely on validation that the user can disable. As Mac has pointed out, you can inject both post and get requests. I've seen injections in all sorts of places, cookies, user agent, referrer, pretty much anything that's sent in the header. Querystring and post data are not even the only places you should be validating.

Rule of thumb, assume all input is hostile.

Security should be part of the actual core design, the main problem most enterprise applications face are exactly that, security was added as an afterthought which leaves the applications with huge exposure. This isn't even touching validation for things like cross site scripting, file inclusion vulnerabilities or even sensitive information disclosure that could lead to exploitation.
Re: limiting the input length
October 18, 2012 01:22PM
Yes thanks.

I made a php function to clean my input first. I hope I covered all the bases because my portfolio is already submitted! :|
Sorry, only registered users may post in this forum.

Click here to login