Form Validator Form Validator

““Hasta La Vista SQL Injection” Hasta La Vista SQL Injection”

Their Job, Our Job, It’s JobTheir Job, Our Job, It’s Job

Chris Anley mentions Four Best-Chris Anley mentions Four Best-Practices to Avoid SQL InjectionPractices to Avoid SQL Injection– Three are Sys. Admin and DBA tasksThree are Sys. Admin and DBA tasks– Only one is related exclusively to Only one is related exclusively to

codingcoding– Comprehensive Input ValidationComprehensive Input Validation

That’s what the Form Validator That’s what the Form Validator does!does!

You’re Not Saying…?!?You’re Not Saying…?!?

No, this is NOT the silver bullet for No, this is NOT the silver bullet for security or even just SQL Injection.security or even just SQL Injection.

Comprehensive Input ValidationComprehensive Input Validation– ““Comprehensive” now may not be Comprehensive” now may not be

tomorrow.tomorrow.– Your “Comprehensive” may be more than Your “Comprehensive” may be more than

mine. mine. We need a foundation on which to We need a foundation on which to

build.build.

Another “Perfectly Conceived” Another “Perfectly Conceived”

AcronymAcronym

FDF originally stood for Form FDF originally stood for Form DeFinition DeFinition – Hideously StupidHideously Stupid

Could stand for Form Definition Could stand for Form Definition File File – I Like this OneI Like this One

Whatever you call it, here lies the Whatever you call it, here lies the building blocks of the Form building blocks of the Form Validator - XML Validator - XML

Form Definition FileForm Definition File

Built on XMLBuilt on XML Makes use of a set of pre-defined Makes use of a set of pre-defined

tags to create rules for a form and tags to create rules for a form and elements on that form.elements on that form.

Each FDF file (after the ?XML tag) Each FDF file (after the ?XML tag) begins with the fdf tag.begins with the fdf tag.

Structure of all of the tags under Structure of all of the tags under fdf…fdf…

From <start> to From <start> to </start></start> fdffdf

– formform– returnreturn– group (optional)group (optional)

idid requiredrequired totaltotal

– rule (optional groupid = “<group-id>”)rule (optional groupid = “<group-id>”) displaydisplay fieldfield lengthlength typetype requiredrequired

Elements Explained…Elements Explained…

formform– Describes the name of the form Describes the name of the form

which the validator is validating.which the validator is validating.– XML syntax – “<form>…</form>”XML syntax – “<form>…</form>”

returnreturn– Describes the URL of the page which Describes the URL of the page which

contains the above form.contains the above form.– XML syntax – “<return>…</return>”XML syntax – “<return>…</return>”

Grouped FieldsGrouped Fields

Need an “Outta”?Need an “Outta”? groupgroup

– Contains the information for a particular Contains the information for a particular set of grouped fields.set of grouped fields.

– XML syntaxXML syntax<group><group>

<id>…</id><id>…</id><required>…</required><required>…</required><total>…</total><total>…</total>

</group></group> Optional “groupid” AttributeOptional “groupid” Attribute

Form Validator – Ruler of the Form Validator – Ruler of the FormForm

The individual rules for each form element.The individual rules for each form element. rulerule

– Contains the information for a particular form field.Contains the information for a particular form field.– XML syntaxXML syntax

<rule><rule> <display>…</display><display>…</display> <field>…</field><field>…</field> <length>…</length><length>…</length> <type>…</type><type>…</type> <required>…</required><required>…</required></rule></rule>

Grouped By Group IDGrouped By Group ID

The “groupid” attribute can be given to The “groupid” attribute can be given to a rule to associate it to a group of rules.a rule to associate it to a group of rules.

For example For example <group><group>

<id>…</id><id>…</id>

</group></group>

<rule groupid=“…”><rule groupid=“…”>

……

</rule></rule>

Stick Together and We’ll Make It Stick Together and We’ll Make It ThroughThrough

All <group>…</group> tags must be All <group>…</group> tags must be together before all <rule>…</rule> together before all <rule>…</rule> tags.tags.

The format is The format is

<group>…</group><group>…</group>

<group>…</group><group>…</group>

<rule>…</rule><rule>…</rule>

<rule>…</rule><rule>…</rule>

<rule>…</rule><rule>…</rule>

Sample FDFSample FDF

<?xml version="1.0" encoding="UTF-8"?><?xml version="1.0" encoding="UTF-8"?>

<fdf><fdf><form>frmSave</form><form>frmSave</form><return>index.cfm?subap=Lubay&amp;action=EditItem&amp;ItemID=#ItemID#</return><return>index.cfm?subap=Lubay&amp;action=EditItem&amp;ItemID=#ItemID#</return><group><group> <id>group1</id><id>group1</id> <required>1</required><required>1</required> <total>2</total><total>2</total></group></group><rule groupid=“group1”><rule groupid=“group1”> <display>Title</display><display>Title</display> <field>txtItemName</field><field>txtItemName</field> <length>50</length><length>50</length>

<type>Char</type><type>Char</type> <required>1</required><required>1</required>

</rule></rule><rule groupid=“group1”> <rule groupid=“group1”> <display>Description</display><display>Description</display> <field>txtDescription</field><field>txtDescription</field> <length>500</length><length>500</length> <type>Char</type><type>Char</type> <required>1</required><required>1</required></rule></rule><rule> <rule> <display>Name</display><display>Name</display> <field>txtName</field><field>txtName</field> <length>20</length><length>20</length> <type>Char</type><type>Char</type> <required>0</required><required>0</required></rule></rule>

</fdf></fdf>

Pause for EffectPause for Effect

Normal Form System Normal Form System MethodologyMethodology

Form Posted SQL Generated

SQL Run on DB

Pause for EffectPause for Effect

Form Validator SystemForm Validator System

Form Posted SQL Generated

SQL Run on DB

Checked Against FDF

All you have to do is plug in the Form All you have to do is plug in the Form Validator.Validator.

How to “Plug It In”How to “Plug It In”

Find the file to which a form is postedFind the file to which a form is posted Before ANY action is taken with that data (i.e. it is Before ANY action is taken with that data (i.e. it is

dynamically placed in a SQL query) call the Form dynamically placed in a SQL query) call the Form ValidatorValidator

Example CallExample Call

<cfmodule <cfmodule template="/wwwAdmin/CF_tags/Validate_Form_XML.template="/wwwAdmin/CF_tags/Validate_Form_XML.cfm" fdf_url=“/ProDev/fdf/fdf_frmSave.xml">cfm" fdf_url=“/ProDev/fdf/fdf_frmSave.xml">

If all of the data submitted is valid according If all of the data submitted is valid according to the FDF rules, then nothing happens and to the FDF rules, then nothing happens and the action on the data will take place.the action on the data will take place.

If any of the data submitted is not valid…If any of the data submitted is not valid…

Watch Out! A Watch Out! A Boomerang!Boomerang! If any of the data submitted is not If any of the data submitted is not

valid, then the page pointed to by the valid, then the page pointed to by the URL in the <return>…</return> tag in URL in the <return>…</return> tag in the FDF needs to be ready to receive:the FDF needs to be ready to receive:– h_’<field-name>’ hidden form fields which h_’<field-name>’ hidden form fields which

contains all data fields submitted to the contains all data fields submitted to the validator.validator.

– err_’<field-name>’ hidden form fields err_’<field-name>’ hidden form fields which contain an error message for each which contain an error message for each field that failed validation.field that failed validation.

Another Look…Another Look…

Form Validator SystemForm Validator System

Form Posted SQL Generated

SQL Run on DB

Checked Against FDF

Form

Fie

lds

h_ and err_ Form Fields

Valid

For

m F

ield

s

Example Form Code Example Form Code

<input type="text" name="txtItemName"<input type="text" name="txtItemName"<cfif isDefined("h_txtItemName")> value="#h_txtItemName#" <cfif isDefined("h_txtItemName")> value="#h_txtItemName#"

</cfif>></cfif>><br><br><cfif isDefined("err_txtItemName")>#err_txtItemName#</cfif><cfif isDefined("err_txtItemName")>#err_txtItemName#</cfif> Steps to receive erred form data from the Form ValidatorSteps to receive erred form data from the Form Validator

– Check for the presence of h_field-name and set the value of the Check for the presence of h_field-name and set the value of the form element that equal to it.form element that equal to it.

– Check for the presence of err_field-name and output the error in Check for the presence of err_field-name and output the error in some way if it exists.some way if it exists.

– Check for the presence of err_group-id. Whenever you have set Check for the presence of err_group-id. Whenever you have set up a group by using the <group>…</group> tags in the FDF, the up a group by using the <group>…</group> tags in the FDF, the form needs to be set up to receive errors which happen at the form needs to be set up to receive errors which happen at the group level. They will be stored in the “err_<group-id>” form group level. They will be stored in the “err_<group-id>” form field. field.

Form Validator Form Validator SummarySummary Create Form Definition FileCreate Form Definition File Call Form Validator before using Call Form Validator before using

the Form elementsthe Form elements Create the Form in such a way Create the Form in such a way

that it is capable of filling in the that it is capable of filling in the form elements with posted data form elements with posted data and displaying the error and displaying the error messages associated with bad messages associated with bad fields. fields.

Form ValidatorForm Validator

Questions?Questions?