Why input sanitation is important for your web app?

A common mistake we developers do when creating input forms for a web application, we overlook input sanitation.

On the one hand it is required to filter only what is valid (input validation) and on the other hand you want a bit of flexibility to accept input that makes sense.

Data Sanitation takes a deeper approach to input validation. It refers to ways that input is modified by the code. In general, data sanitation cleans up what the user inputs during the validation process.

Both input validation and data sanitation is used to increase the security of a developed application. Both or either should throw an error and provide the user with some information that informs the user about the input error.

As an example, when programming for web applications, the lack of validation and sanitation may open the application to common attacks like buffer overflow attacks, SQL injection, command injection, and cross-site scripting attacks to exploit the gap in the interaction between the website and the server. They can encode special characters and execute unauthorised actions that compromise security. With input sanitation in place, these types of attacks can be prevented. The risk for not validating nor sanitising input runs the risk of opening up the code, the system and the infrastructure using the code to exploitation.

And in today’s security sensitive environments, it is critical to focus on secure software development methods. Quite a few holes exist in software due to poor programming practices can lead to big failure of your application.

So let’s take an example of very simple script injection by entering JavaScript code into the input field of PHP form has considerable potential damage if not handled properly.

<?php
$string = ‘<script> alert(“Pay me a million dollars or I will delete your files!”); </script>’;
echo $string;
?>

If any user adds above string as an input in your web application then you will see the alert on your interface asking for million dollars. And just imagine if some attacker replaces this alert with JavaScript codes that will delete all data of your application or redirect pages from our application to the attacker’s address.

Here PHP provides many in-built functions to handle this. Let’s see below piece of code where we have used filter_var().

<?php
$string = ‘<script> alert(“Pay me a million dollars or I will delete your files!”); </script>’;
$filteredString = filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
echo $filteredString;
?>

There are other functions we can use like htmlentities() which will convert all applicable characters to HTML entities.

Quite simple, right?

Quick Tip — You can test your form inputs with this big list of naughty strings.

An application receives queries and requests from untrusted sources that might expose the system to malicious attacks. Input sanitation ensures that the entered data conforms to subsystem and security requirements, eliminating unnecessary characters that can pose potential harm.

I’m not responsible for this article being abused for something bad.
Remember we are not crackers who do vandalism.