On my personal web site I have several sets of pages that use form
arguments for communication. It's been pointed out that I need to do
better validation to avoid injection attacks. Primarily, the various
pages are invoked with "?id=N" for some integer N. But, right now it
just uses that, for example, in a MySQL query "where id=&form.id;"
clause. That means that you could invoke the page with "?id=1 or true"
at the end and subvert the where clause. Actually, another test that I
recently added seems to fix this specific case. But, presumably, more
elaborate hacking could get the MySQL to do useful things for you. So
what I need is appropriate RXML that can _safely_ validate that form.id
is an integer (I already check the case where there's no match in the
table).
The best trick I've come up with so far is:
<if expr='STRING(INT("&form.id;")) == "&form.id;"'>
But that is still subject to injection attacks, if you put double quotes
in the form argument. But, it seems to work against anything else...
So, my question for the list is: Is there a good standard way to do form
argument validation in RXML? I can see doing it with some added Pike
code (a new if plugin that takes a var _name_ and validates the content
for you.) But from RXML everything I've thought of has problems with
some form of injection attack.
If you want to see the actual pages, they are among other things, the
library catalog at <http://MAP.MAP-NE.com/Library/> (but these don't
even have that above test in them, yet, only the dev version does, so
please don't abuse this too much).
___
/| /| /| \ Michael A. Patton, President [email protected]
/ | / | /_|__/ MAP Network Engineering http://MAP-NE.com
/ |/ |/ | Network Infrastructure design: Routing, DNS, more
