DCSIMG
Web Service Input Validation - אליק לוין

אליק לוין

עולמו של יועץ ממיקרוסופט

Web Service Input Validation

I've been blogging on importance of input validatoin some time ago App Architecture with Security in mind - Video, Part I

Web Services is not different from ASPX - accept parameters and process it. So the strategy for input validation should be the same as with ASPX - each and every input parameter MUST be checked for goodness (no black list allowed!). The only difference with ASPX is that there is no validation controls for ASMX, so the simplest way would be as follows:

from http://msdn2.microsoft.com/en-us/library/ms998375.aspx#pagquestionlist0001_input1

[WebMethod]

public decimal RetrieveAccountBalance(string accountId)



   if (!Regex.IsMatch(accountId,@"^[a-zA-Z'.\s]{1,40}$")) 

   { 

      // AccountID does not match expression 

      // do not process request 

   }

}

Common regex patterns are here: http://msdn2.microsoft.com/en-us/library/ms998267.aspx

It is more complicated when dealing with complex types as input parameters - will save it for the next post

Enjoy

 

פורסם: Feb 22 2007, 04:20 PM by alikl | with 3 comment(s)
תגים:, ,

תוכן התגובה

alik levin's כתב/ה:

First of I'd like to thank Guy for his excellent screencast - very convenient, so thanks. Specifically

# March 1, 2007 10:10 AM

Practicing Software Engineering in the Field כתב/ה:

First of I'd like to thank Guy for his excellent screencast - very convenient, so thanks. Specifically

# March 4, 2007 10:13 PM

Kevin Lam כתב/ה:

Hey Alik, I just posted a blog about different approaches to input validation (1st in a series of 3) at http://www.buildingsecurecode.com/2007/04/26/approaches-to-input-validation/. Thanks, Kevin -- Kevin Lam Impacta LLC (http://www.impactalabs.com) "Risk management solutions working for you"
# April 27, 2007 10:19 AM