1 / 11

Web Programming Week 6

Web Programming Week 6. Old Dominion University Department of Computer Science CS 418/518 Fall 2010 Martin Klein <mklein@cs.odu.edu> 10/05/10. Server-Side Input Validation (Chapter 8 in book, 7 in sample code).

lavey
Download Presentation

Web Programming Week 6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web ProgrammingWeek 6 Old Dominion University Department of Computer Science CS 418/518 Fall 2010 Martin Klein <mklein@cs.odu.edu> 10/05/10

  2. Server-Side Input Validation(Chapter 8 in book, 7 in sample code) • Client-side input validation is nice but not a replacement for server-side validation • client-side security == no security • malicious or broken clients • client-side (Javascript) examples: http://www.codeave.com/javascript/category.asp?u_category=Forms • Server-side can be built using: • empty(), is_numeric(), is_string(), is_bool(), is_array(), is_object(), etc. • http://us2.php.net/manual/en/ref.var.php

  3. Separate URI to Handle Errors … if (empty($var1)) { $errors .= "$var1 should not be empty"; } if (!is_numeric($var2)) { $errors .= "$var2 should be a number"; } // check all anticipated error conditions … if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header("Location: http://foo.edu/error.php?error=$errors"); }

  4. Same URI to Handle Errors … if (empty($var1)) { $errors .= "$var1 should not be empty"; } if (!is_numeric($var2)) { $errors .= "$var2 should be a number"; } // check all anticipated error conditions … if (empty($errors)) { // do interesting work } else { internal_error_function($errors); } function internal_error_function ($errors) { // generate pretty HTML response // provide link to start over }

  5. Same URI with Error Argument … if (empty($var1)) { $errors .= "$var1 should not be empty"; } if (!is_numeric($var2)) { $errors .= "$var2 should be a number"; } // check all anticipated error conditions … if (empty($errors)) { // do interesting work } else { $errors = urlencode($errors); header("Location:".$_SERVER["REQUEST_URI"]."?errors=$errrors"; }

  6. Encoding/Decoding URLs • RFC-1738 requires “unsafe” and “reserved” characters to be encoded in URIs: • http://www.rfc-editor.org/rfc/rfc1738.txt • Reserved examples “/”, “:”, “?”… • Unsafe examples [space], “%”, “#”… • PHP urlencode(), urldecode() • http://us2.php.net/manual/en/function.urlencode.php • http://us2.php.net/manual/en/function.urldecode.php • More info: • http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

  7. Escaping HTML <?php $orig = "I'll \"walk\" the <b>dog</b> now"; $a = htmlentities($orig); $b = html_entity_decode($a); echo $a; // I'll &quot;walk&quot; the &lt;b&gt;dog&lt;/b&gt; now echo $b; // I'll "walk" the <b>dog</b> now ?> See: http://www.w3schools.com/PHP/func_string_htmlentities.asp http://php.net/manual/en/function.htmlentities.php http://us2.php.net/manual/en/function.html-entity-decode.php http://www.w3schools.com/PHP/func_string_html_entity_decode.asp Also: http://en.wikipedia.org/wiki/Lightweight_markup_language

  8. Regular Expressions • More Info: http://us2.php.net/regexhttp://oreilly.com/catalog/9780596528126/ if ( !preg_match("/([0-9]{2})-([0-9]{2})-([0-9]{4})/", $_POST['movie_release'] , $reldatepart) ) { $error .= "Please+enter+a+date+with+the+dd-mm-yyyy+format"; } Attention: "ereg" has been deprecated as of PHP 5.3 and hence will cause a warning! if $_POST['movie_release'] == 31-05-1969 then: $reldatepart[0] = 31-05-1969 $reldatepart[1] = 31 $reldatepart[2] = 05 $reldatepart[3] = 1969

  9. Date/Time • More info: http://us2.php.net/manual/en/ref.datetime.php $movie_release = mktime ( 0, 0, 0, $reldatepart['2'], $reldatepart['1'], $reldatepart['3']); // $seconds_since_Jan1st1970 = mktime(hour,min,sec,month,day,year)

  10. Apache httpd.conf % less /etc/apache2/httpd.conf … # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html ErrorDocument 404 /error.php?404 #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html # …

  11. Return-Path: <mklein@cs.odu.edu> Received: from exchange.cs.odu.edu (darkisland.csnet.cs.odu.edu [128.82.4.212]) by unixmail.cs.odu.edu (8.14.2/8.14.2) with ESMTP id o94LPccJ021124 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <mklein@unixmail.cs.odu.edu>; Mon, 4 Oct 2010 17:25:38 -0400 (EDT) Resent-Date: Mon, 4 Oct 2010 17:25:38 -0400 (EDT) Resent-Message-Id: <201010042125.o94LPccJ021124@unixmail.cs.odu.edu> Resent-From: <mklein@cs.odu.edu> Received: from unixmail.cs.odu.edu (128.82.4.9) by darkisland.csnet.cs.odu.edu (128.82.4.212) with Microsoft SMTP Server id 8.2.176.0; Mon, 4 Oct 2010 17:25:38 -0400 Received: from mln-web (mln-web.cs.odu.edu [128.82.4.82]) by unixmail.cs.odu.edu (8.14.2/8.14.2) with SMTP id o94LPblD021121 for <mklein@cs.odu.edu>; Mon, 4 Oct 2010 17:25:38 -0400 (EDT) Message-ID: <201010042125.o94LPblD021121@unixmail.cs.odu.edu> Received: by mln-web (sSMTP sendmail emulation); Mon, 4 Oct 2010 17:17:12 -0400 From: added by portage for apache <apache@mln-web.cs.odu.edu> Date: Mon, 4 Oct 2010 17:17:12 -0400 To: <mklein@cs.odu.edu> Subject: Error Page MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" <html><head><title></title></head><body>Error occurred on <b>Monday, October 4, 2010</b> at <b>17:17:12:2010</b><br>Error received was a <b>404</b> error.<br>The page that generated the error was: <b>/~mklein/code/code/ch08/error.php.02.php?404</b><br>The generated error message was:<h1>"Page Not Found" Error Page - (Error Code 404)</h1>The page you are looking for cannot be found<br><a href="mailto:sysadmin@localhost.com">Contact</a> the system administrator if you feel this to be in error</body></html> SMTP Mesg PHP syntax: mail($to,$subject,$body,$headers)

More Related