Couple big things are 1. Only accept reasonable characters, on a white list instead of rejecting bad characters based on a black list. This will mean you are less likely to forget to block /0 for example. 2. Understand how strings work and ensure both reading and writing to that string doesn’t extend beyond the end of memory allocated for the string. For example do you understand what the /0 would do to a string your program accepts?
Depends…how well written the form is. Often stuff like this is pushed to libraries who have covered all the gotchas but you have to be careful not to get into dependency hell. Understand where to use them and not. For example don’t use left_pad but also don’t make your own encryption.
How easy is it to allow new lines,very easy. The important part is only accepting new lines e.g. /r/n a well made form can include extra functions but anything not defined should be denied.
Also consider you likely should not accept a username with a semi-colon in it…
Keep in mind, the lowercase and uppercase letters are in continuous blocks on the ASCII table so you can can use that to verify if a char is a letter without doing an incredible long chain of if else statements.
Santize inputs.
I’ll get back to you on exploits when I can write something that throws zero compilation errors. 😈
Couple big things are 1. Only accept reasonable characters, on a white list instead of rejecting bad characters based on a black list. This will mean you are less likely to forget to block /0 for example. 2. Understand how strings work and ensure both reading and writing to that string doesn’t extend beyond the end of memory allocated for the string. For example do you understand what the /0 would do to a string your program accepts?
Is it easy for a good developer to allow new lines without any extra security risk exposure?
Sometimes e.g. a government form will remove new lines, though perhaps sometime they intend to reduce length.
Depends…how well written the form is. Often stuff like this is pushed to libraries who have covered all the gotchas but you have to be careful not to get into dependency hell. Understand where to use them and not. For example don’t use left_pad but also don’t make your own encryption.
How easy is it to allow new lines,very easy. The important part is only accepting new lines e.g. /r/n a well made form can include extra functions but anything not defined should be denied.
Also consider you likely should not accept a username with a semi-colon in it…
Sic! Thanks! I’ll work on this this weekend! 😊
Keep in mind, the lowercase and uppercase letters are in continuous blocks on the ASCII table so you can can use that to verify if a char is a letter without doing an incredible long chain of if else statements.