Blacklisting vs whitelisting in the form of input filtering and verification

Question

Blacklisting vs whitelisting in the form of input filtering and verification

which is the preferred approach to disinfect user input?

Thank you!

+3

filter validation whitelist blacklist

ultrajohn Aug 24 '10 at 18:14

source share

7 answers

Chad Yeates · Answer 1 · 2010-08-24T18:28:01+0000

The best approach is to either use stored procedures or parameterized queries. The white list is an additional technique that allows you to prevent any injection before they reach the server, but should not be used as your main protection. A black ad is usually bad because it is usually not possible to filter out all malicious entries.

, , , sql.

drAlberT · Answer 2 · 2010-08-24T18:42:41+0000

WL - BL, .

: , , , , . , , , !

inf3rno · Answer 3 · 2014-05-15T02:27:30+0000

, - , HTML . , symfony 1.x :

class ContactForm extends sfForm  
{  
  protected static $subjects = array('Subject A', 'Subject B', 'Subject C');  

  public function configure()  
  {  
    $this->setWidgets(array(  
      'name'    => new sfWidgetFormInput(),  
      'email'   => new sfWidgetFormInput(),  
      'subject' => new sfWidgetFormSelect(array('choices' => self::$subjects)),  
      'message' => new sfWidgetFormTextarea(),  
    ));  
    $this->widgetSchema->setNameFormat('contact[%s]');  

    $this->setValidators(array(  
      'name'    => new sfValidatorString(array('required' => false)),  
      'email'   => new sfValidatorEmail(),  
      'subject' => new sfValidatorChoice(array('choices' => array_keys(self::$subjects))),  
      'message' => new sfValidatorString(array('min_length' => 4)),  
    ));  
  }  
}

, , . , . . , , , ...

:

class ContactController {
    /**
    * @input("name", type = "string", singleLine = true, required = false)
    * @input("email", type = "email")
    * @input("subject", type = "string", alternatives = ['Subject A', 'Subject B', 'Subject C'])
    * @input("message", type = "string", range = [4,])
    */
    public function post(Inputs $inputs){
        //automatically validates inputs
        //throws error when an input is not on the list
        //throws error when an input has invalid value
    }
}

/**
* @controller(ContactController)
* @method(post)
*/
class ContactForm extends sfFormX {

  public function configure(InputsMeta $inputs)  
  {
    //automatically binds the form to the input list of the @controller.@method
    //throws error when the @controller.@method.@input is not defined for a widget
    $this->addWidgets(
      new sfWidgetFormInput($inputs->name),  
      new sfWidgetFormInput($inputs->email),  
      new sfWidgetFormSelect($inputs->subject),  
      new sfWidgetFormTextarea($inputs->message)
    );
    $this->widgetSchema->setNameFormat('contact[%s]');  
  }  
}

Tommy · Answer 4 · 2010-08-24T18:25:51+0000

. , , . . , - "", , .

, , , :) @posterBelow

Harshil · Answer 5 · 2012-05-02T04:49:42+0000

.

VS
. Blacklist XSS SQL Injection . , .
II. " XSS" " SQL-" . / / , .
?
. . , . , , ?
II. - . , , - . , - . - , .
. , , , . , .

Samuel Lopez · Answer 6 · 2013-07-25T15:08:41+0000

, , , , , , , , , - , . , . , , , OWASP "Sanitize with Blacklist":

(, HTML ), "". , . , , , .

, - . XSS "Escape", , , , HTML- , , , , , XSS-. SQL- , , . . , , . , db "", . , , , :

OWASP

OWASP SQL

Steve hill · Answer 7 · 2010-08-24T18:38:13+0000

, , .

(, ) , .

. , , (escape- ..). , - , , .

I think this is just a case of finding a mixture that works for you. I can not come up with a single solution that would work for all the possibilities. It mainly depends on your user base.

Blacklisting vs whitelisting in the form of input filtering and verification

More articles: