Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
Python and Tcl - public course schedule [here]
Private courses on your site - see [here]
Please ask about maintenance training for Perl, PHP, Lua, etc
 
Robust checking of data entered by users

10 steps to testing the bullet proofing user inputs or how to avoid being caught by nasties when your script goes live!

1. Test it works with intended entries. It's not going to be much good if it falls over when someone entered a valid piece of data!

2. Test it works (fails correctly) with erroneous entries. Does it reject entries that should be rejected? Does it place the invalid text back in the form for the user to correct it? Does it also "sticky" the other fields, including selects, checkboxes and radio buttons, so that the user doesn't have to re-enter them? Does it offer a good explanation to the user of what the error was, and what inputs are acceptable?

3. Test it acts appropriately with inputs that include awkward characters and sequences such as < and " and ' and & and ../ and .htaccess ... and 3.5 and three where you've asked for a whole number. These are all important "security issues"; you should check that you're protected against ugly display echos if someone enters an HTML tag, SQL injection attacks, and file names that are reserved or navigate the directory tree.

4. Test it against a whole file of inputs There may be some "odd" cases you haven't thought of in the testing above. Do you have a whole file of data / inputs that you can run the script against? Example of what you might find - a user name gets confused with another user name that's a shortened form of it. I recall having "issues" with a computer called seal and another called sealion.

5. Test it works without cookies and on different browsers. This mainly refers to how the output looks, but if your user is refusing cookies, will the site be usable? Will he be irritated by being asked at every page? On different browsers, how does it look? And have you embedded any javascript or tags that are browser-specific and cause problems?

6. How do you implement your acceptable user policy? If your script is publishing the information entered on your site, how do you monitor for acceptable content? If it's a voting script, have you prevented one person rigging the system by multi-voting? If it's an online test, have you prevented your user selecting the back button and correcting his answers when you've told him he got a question wrong?

7. Have your colleague test that it works for him / her. Even with all of the above, you may overlook something. Or what is obvious to you might not be to someone else (e.g. is the submit button clear ...). Better to find this sort of thing out before you've got 000s of users.

8. Have the person who commissioned the script test that it works for him / her. Very much worthwhile having your paymaster on site, and after following the steps above the script should be impressibe in its robustness. Oh - and if it goes pear-shaped later, you did have the approval of the commissioner.

9. Release to some "tame" customers. Chances are that everyone who's used the script up to this point has been deeply involved and knows what it's about. Having a few customers look and provide feedback at a late stage will alert you to anything which is blindingly obvious in-house but not at all clear to Joe Public.

10. Release to the world. ... with a feedback link, and do make sure that you have a look at the log files and see the pattern of use.
(written 2005-08-27, updated 2008-05-17)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H115 - Designing PHP-Based Solutions: Best Practice
  [4691] Real life PHP application using our course training MVC example - (2016-06-05)
  [4641] Using an MVC structure - even without a formal framework - (2016-02-07)
  [4326] Learning to program - comments, documentation and test code - (2014-11-22)
  [4118] We not only teach PHP and Python - we teach good PHP and Python Practice! - (2013-06-18)
  [4069] Even early on, separate out your program from your HTML! - (2013-04-25)
  [3926] Filtering PHP form inputs - three ways, but which should you use? - (2012-11-18)
  [3820] PHP sessions - a best practice teaching example - (2012-07-27)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [3539] Separating program and artwork in PHP - easier maintainance, and better for the user - (2011-12-05)
  [2679] How to build a test harness into your PHP - (2010-03-16)
  [2430] Not just a PHP program - a good web application - (2009-09-29)
  [2221] Adding a newsfeed for your users to a multipage PHP application - (2009-06-06)
  [2199] Improving the structure of your early PHP programs - (2009-05-25)
  [1794] Refactoring - a PHP demo becomes a production page - (2008-09-12)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1623] PHP Techniques - a workshop - (2008-04-26)
  [1533] Short and sweet and sticky - PHP form input - (2008-02-06)
  [1490] Software to record day to day events and keep an action list - (2007-12-31)
  [1487] Efficient PHP applications - framework and example - (2007-12-28)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1391] Ordnance Survey Grid Reference to Latitude / Longitude - (2007-10-14)
  [1390] Converting from postal address to latitude / longitude - (2007-10-13)
  [1389] Controlling and labelling Google maps via PHP - (2007-10-13)
  [1381] Using a MySQL database to control mod_rewrite via PHP - (2007-10-06)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1321] Resetting session based tests in PHP - (2007-08-26)
  [1194] Drawing hands on a clock face - PHP - (2007-05-19)
  [1182] Painting a masterpiece in PHP - (2007-05-10)
  [1181] Good Programming practise - where to initialise variables - (2007-05-09)
  [1166] Back button - ensuring order are not submitted twice (PHP) - (2007-04-28)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [1047] Maintainable code - some positive advice - (2007-01-21)
  [945] Code quality counts - (2006-11-26)
  [936] Global, Superglobal, Session variables - scope and persistance in PHP - (2006-11-21)
  [896] PHP - good coding practise and sticky radio buttons - (2006-10-17)
  [839] Reporting on the 10 largest files or 10 top scores - (2006-08-20)
  [572] Giving the researcher power over database analysis - (2006-01-22)
  [563] Merging pictures using PHP and GD - (2006-01-13)
  [394] A year on - should we offer certified PHP courses - (2005-07-28)
  [340] Code and code maintainance efficiency - (2005-06-08)
  [261] Putting a form online - (2005-03-29)
  [237] Crossfertilisation, PHP to Python - (2005-03-06)
  [123] Short underground journeys and a PHP book - (2004-11-19)

H117 - Security in PHP
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [2688] Security considerations in programming - what do we teach? - (2010-03-22)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [1747] Who is watching you? - (2008-08-10)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [947] What is an SQL injection attack? - (2006-11-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [345] Spotting a denial of service attack - (2005-06-12)

P404 - Perl - Extending Flexibility Using CGI
  [1365] Korn Shell scripts on the web - (2007-09-25)
  [1187] Updating a page strictly every minute (PHP, Perl) - (2007-05-14)
  [641] Simple but rugged form handling demo - (2006-03-10)
  [590] Danny and Donna are getting married - (2006-02-03)

P609 - Perl - Network Security
  [2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)

Y202 - Python on the Web
  [4536] Json load from URL, recursive display, Python 3.4 - (2015-10-14)
  [4404] Which (virtual) host was visited? Tuning Apache log files, and Python analysis - (2015-01-23)
  [4089] Quick and easy - showing Python data hander output via a browser - (2013-05-15)
  [2365] Counting Words in Python via the web - (2009-08-18)
  [1745] Moodle, Drupal, Django (and Rails) - (2008-08-08)
  [903] Pieces of Python - (2006-10-23)
  [433] FTP - how to make the right transfers - (2005-09-01)


Back to
Caching an XML feed
Previous and next
or
Horse's mouth home
Forward to
The Melksham train - a button is pushed
Some other Articles
Linux commands - some basics
Charlie on Monday
Swindon - Chippenham - Melksham - Trowbridge - Westbury train service
The Melksham train - a button is pushed
Robust checking of data entered by users
Caching an XML feed
How not to run a forum
A Victorian Lady
PHP Magic Quotes
Don't repeat code - use loops or functions
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2019: 404 The Spa • Melksham, Wiltshire • United Kingdom • SN12 6QL
PH: 01225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/426_Robu ... users.html • PAGE BUILT: Sat May 27 16:49:10 2017 • BUILD SYSTEM: WomanWithCat