Explain filtering data and validating data

14-Apr-2014 23:59

This is a dangerous strategy, because the set of possible bad data is potentially infinite.

Adopting this strategy means that you will have to maintain the list of "known bad" characters and patterns forever, and you will by definition have incomplete protection.

For example, if you use HTML entity encoding on user input before it is sent to a browser, it will prevent most XSS attacks.

However, simply preventing attacks is not enough - you must perform Intrusion Detection in your applications.

Detecting attempts to find these weaknesses is a critical protection mechanism.Data from the client should never be trusted for the client has every possibility to tamper with the data.In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation.The account select option is read directly and provided in a message back to the backend system without validating the account number if one of the accounts provided by the backend system.

An attacker can change the HTML in any way they choose: rather than account names.Say you want to set up a site where users can upload arbitrary files so they can share them or download them again from another location.