Manualshelf

Specifications

ManualsBrandsApache ManualsGadgetsMP3-341
51525354555657585960
CHAPTER 3
50
Input validation
Input validation means ensuring that input is what it says it is or is what it is supposed to be. If your application is
expecting name and address information, but it gets SQL commands, have a validation mechanism in your appli-
cation that checks for and filters out SQL-specific characters and strings before passing the data to the execute
method.
In many cases, you want users to provide input in TextInput, TextArea, and other controls that accept user input.
If you use the input from these controls in operations inside the application, make sure that the input is free of
possible malicious characters or code.
One approach to enforcing input validation is to use the Flex validator classes by using the
<mx:Validator> tag
or the tag for the appropriate validator type. Validators ensure that the input conforms to a predetermined pattern.
For example, the NumberValidator class ensures that a string represents a valid number. This validator can ensure
that the input falls within a given range (specified by the
minValue and maxValue properties), is an integer
(specified by the
domain property), is non-negative (specified by the allowNegative property), and does not
exceed the specified precision.
In typical client-server environments, data validation occurs on the server after data is submitted to it from the
client. One advantage of using Flex validators is that they execute on the client, which lets you validate input data
before transmitting it to the server. By using Flex validators, you eliminate the need to transmit data to and receive
error messages back from the server, which improves the overall responsiveness of your application.
You can also write your own ActionScript filters that remove potentially harmful code from input. Common
approaches include stripping out dollar sign ($), quotation mark ("), semi-colon (;) and apostrophe (') characters
because they have special meaning in most programming languages. Because Flex also renders HTML in some
controls, also filter out characters that can be used to inject script into HTML, such as the left and right angle
brackets (“<” and “>”), by converting these characters to their HTML entities “&lt;” and “&gt;”. Also filter out the
left and right parentheses (“(and “)”) by translating them to “&#40;” and “&#41;”, and the pound sign (“#”) and
ampersand (“&”) by translating them to “&#35” (#) and “&#38” (&).
Another approach to enforcing input validation is to use strongly-typed, parameterized queries in your SQL code.
This way, if someone tries to inject malicious SQL code into text that is used in a query, the SQL server will reject
the query.
For more information on potentially harmful characters and conversion processes, see
http://www.cert.org/tech_tips/malicious_code_mitigation.html.
For more information about validators, see “Validating Data” on page 1263 in the Adobe Flex 3 Developer Guide.
ActionScript
Use some of the following techniques to try to make your use of ActionScript more secure.