Secure input and output handling are secure programming techniques designed to prevent security bugs and the exploitation thereof.
Contents |
Input handling is how an application, server or other computing system handles the input supplied from users, clients, or a computer network.
Secure input handling is often required to prevent vulnerabilities related to Code injection, Directory traversal and so on.
To keep malicious inputs contained, any inputs written to the database need to be encoded.
SQL encoding: ' OR 1=1 --' is encoded to \ \'\ OR\ 1\=1\ \-\-'
In PHP this can be done with the function mysql_real_escape_string()[1] or with PDO::quote()[2]
There may be other solutions, depending on which programming language is used and what type of code injection is being prevented. E.g., the htmLawed PHP script can be used to remove cross-site scripting code.
In particular, to prevent SQL injection, parameterized queries (also known as prepared statements and bind variables) are excellent for improving security while also improving code clarity and performance.
Output handling is how an application, server or system handles the output (e.g. generating HTML, printing, logging, ...). It is important to keep in mind output often contains input supplied from users, clients, network, databases etc.
Secure output handling is primarily associated with preventing Cross-site Scripting (XSS) vulnerabilities, but could also important in similar areas (e.g. if generating Microsoft Office documents with some API, output management could potentially be required to prevent macro-injections)
"Encoding" processes content that is about to be output so that any potentially dangerous characters are made safe. Characters from a typical known safe charset for the particular destination medium are often left as they are. A simple encoding might leave alone alphanumerics a-z, A-Z and 0-9. Any other characters could be possibly interpreted in an unexpected manner, and are therefore replaced with the appropriate "encoded" representation.
HTML encoding: <script> is encoded to <script>
In PHP this can be done with the function htmlspecialchars()[3]