On Saturday I gave a talk about form processing and input validation to the Twin Cities PHP User Group. It went well. I had originally planned to talk for 20 minutes or so, but other speakers backed out so I had lots of extra time. I made a spur of the moment change, pulling in slides from previous presentations, covering SQL injection, cross-site scripting, and cross-site request forgeries. If you’re operating in a strictly whitelist mode, it’s possible to do input validation without understanding the threats, but it’s extremely limiting and generally unwise. You have to know your threats to write secure software. Thereis obviously far more to consider than SQL injection, XSS, and CSRF, but time was limited and that’s what I had slides for. :)

After that quick overview, I covered basic strategies and pitfalls awaiting the programmer fortunate enough to be considering input validation. I even gave props to the Apache Commons Validator, a Very Useful Java validation library that we use in Struts (and that in fact started life in Struts). I’m not aware of anything parallel in PHP, although some libraries and frameworks offer similar functionality. I am intrigued by Solar_Valid and Solar_Filter in Solar, a library/framework for PHP 5. Paul M. Jones has been busy. Matthew Weier O’Phinney provides the background on Solar_Filter. (Quick aside: Marcus Whitney recently interviewed Mr. Jones for the Pro-PHP Podcast.)

I’m not sure how, but after the talk they convinced me to make my slides (PDF) available online. I’m normally opposed to this, and indeed the slides aren’t that useful in isolation, but detailed meeting notes are forthcoming so I am somewhat mollified.