Submitted by Anonymous (not verified) on
Section
4.3.3
Top Level
Input Validation and Encoding
Sub Level
4.3 Validating User Input
General
Use "built-in" validation mechanisms.
Coldfusion
  • Use the XML functions (isXMLisXmlAttributeisXmlElement,isXmlNodeisXmlRoot, and xmlValidate) to validate XML input.
  • When performing XPath searches and transformations in ColdFusion, validate the source before executing.
  • Use ColdFusion validation techniques to sanitize strings passed toxmlSearch for performing XPath queries.
  • When performing XML transformations use only a trusted source for the XSL stylesheet.
  • Ensure that the memory size of the Java Sandbox containing ColdFusion can handle large XML documents without adversely affecting server resources.
  • Set the maximum memory (heap) value to less than the amount of RAM on the server (-Xmx)
  • Remove DOCTYPE elements from the XML string before converting it to an XML object.
  • Use scriptProtect to thwart most attempts of cross-site scripting. Set scriptProtect to All in the Application.cfc file.
  • Use <cfparam> or <cfargument> to instantiate variables in ColdFusion. Use these tags with the name and type attributes. If the value is not of the specified type, ColdFusion returns an error.
  • To handle untyped variables use IsValid() to validate its value against any legal object type that ColdFusion supports.
  • Use <cfqueryparam> and <cfprocparam> to validate dynamic SQL variables against database datatypes.
  • Use CFLDAP for accessing LDAP servers. Avoid allowing native JNDI calls to connect to LDAP.
Django

See Django's built-in form field classes.

Java

Use Struts validation mechanisms through your own custom/configurable validation rules, Validation.xml, and Validation-rules.xml. Also use Apache Commons Validator for existing validation support (org.apache.commons.validator.GenericValidator).

.NET

By default, ASP.NET provides request validation that throws an error if a user submits certain HTML entities. ASP.NET also provides several validators (inheriting from the BaseValidator class) that can be used to validate user data; such controls include client-side validation in addition to server-side validation. Checking for appropriate datatype submission can be achieved by using such built-in methods as Int32.TryParse().

PHP

Use native PHP functions to filter your input if possible, since they are generally more robust than locally defined functions. For example:

  • is_numeric()
  • ctype_alpha()
  • filter_vars()

Use the basename() function when possible for filtering filenames.