Web Service Input Validation

22 בפברואר 2007

תגובה אחת

I've been blogging on importance of input validatoin some time ago App Architecture with Security in mind – Video, Part I


Web Services is not different from ASPX – accept parameters and process it. So the strategy for input validation should be the same as with ASPX – each and every input parameter MUST be checked for goodness (no black list allowed!). The only difference with ASPX is that there is no validation controls for ASMX, so the simplest way would be as follows:


from http://msdn2.microsoft.com/en-us/library/ms998375.aspx#pagquestionlist0001_input1


[WebMethod]

public decimal RetrieveAccountBalance(string accountId)



   if (!Regex.IsMatch(accountId,@"^[a-zA-Z'.\s]{1,40}$")) 

   { 

      // AccountID does not match expression 

      // do not process request 

   }

}


Common regex patterns are here: http://msdn2.microsoft.com/en-us/library/ms998267.aspx


It is more complicated when dealing with complex types as input parameters – will save it for the next post


Enjoy


 

הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. (*) שדות חובה מסומנים

תגובה אחת

  1. Kevin Lam27 באפריל 2007 ב 10:19

    Hey Alik,

    I just posted a blog about different approaches to input validation (1st in a series of 3) at http://www.buildingsecurecode.com/2007/04/26/approaches-to-input-validation/.

    Thanks,

    Kevin


    Kevin Lam
    Impacta LLC (http://www.impactalabs.com)

    "Risk management solutions working for you"

    להגיב