Re: Do I have to untaint all user input in a form?

1. For the purposes of untainting, do I have to validate every user input value, even though they are all going into a database?

It depends on your schema. If you have text fields that can legitimately contain any old pile of bits, then you can get by without validation. For all other types of fields, bitter experience says to assume the worst. That means validating.

Comment on Re: Do I have to untaint all user input in a form?

Replies are listed 'Best First'.
Re: Re: Do I have to untaint all user input in a form? by liz (Monsignor) on Nov 14, 2003 at 09:00 UTC
I strongly agree with the validating bit. It does not depend on your schema. It is important to realise that when a form is posted to a server, there is no schema information sent with it. For instance, what you think may be a radio button or check box (and thus an expected string value) can be anything when it is posted from somewhere else. A contrived example (which I unfortunately have seen happening in the real world): `<FORM METHOD=post ACTION=/doit.pl> <INPUT NAME=action TYPE=checkbox VALUE="INSERT INTO table VALUES (1,2, +3)"> <INPUT TYPE=submit> </FORM>` [download] may coerce you into thinking that the value on the server of the field "action" is either the INSERT statement or nothing. However, anybody in the world with access to Perl and LWP.pm, might easily set up a request to "/doit.pl": `use LWP::UserAgent; my $ua = LWP::UserAgent->new; my $req = HTTP::Request->new(POST => 'http://your.server.com/doit.pl') +; $req->content(q{action=DELETE%20FROM%20table}); $ua->request($req); #kaboom, your table is gone` [download] So, even if you thought you could trust the value of a checkbox, you can't. You always need to check values coming in from the form. Always. Liz	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: Do I have to untaint all user input in a form?
by liz (Monsignor) on Nov 14, 2003 at 09:00 UTC

strongly

not

It is important to realise that when a form is posted to a server, there is no schema information sent with it. For instance, what you think may be a radio button or check box (and thus an expected string value) can be anything when it is posted from somewhere else.

A contrived example (which I unfortunately have seen happening in the real world):

<FORM METHOD=post ACTION=/doit.pl>
<INPUT NAME=action TYPE=checkbox VALUE="INSERT INTO table VALUES (1,2,
+3)">
<INPUT TYPE=submit>
</FORM>
[download]

may coerce you into thinking that the value on the server of the field "action" is either the INSERT statement or nothing.

However, anybody in the world with access to Perl and LWP.pm, might easily set up a request to "/doit.pl":

use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST => 'http://your.server.com/doit.pl')
+;
$req->content(q{action=DELETE%20FROM%20table});
$ua->request($req); #kaboom, your table is gone
[download]

can't

Always

Liz

[reply]
[d/l]
[select]