Do your own error checking

Development Tips

Always check everything for errors and values outside of allowable range.


Date : 2006-06-17
It is not only good programming practice to check all values to be valid and within allowable range but it is also good security practice. Numbers and text strings outside of the allowable range can be used to overwrite adjacent data causing all manner of security violations.

All strings should be checked for length. A simple method is to always clip strings at their intended length you don't even have to waste the time to check the length. Just use something like:

Code:
<%
  first_name = left(request.form("first_name"),50)
%>


That way the string will automatically be limited to 50 characters no matter how many were entered. If you also have HTML character limitations in place then the only time this code will actually clip anything is if someone is submitting data at your form no doubt with bad intentions.

With numeric values it's a good idea to convert them to an integer, a safe method for doing this is:

Code:
<%
  age = cInt("0" & request.form("age"))
%>


That way if no number is entered it will default to zero. If something other than a number has been entered it will cause an error.

It may seem like an error is a bad thing, but an error you can check for and handle, malicious code being insterted into your database, or displayed in your users browsers is much harder to detect.

These examples have been when handling form inputs but really all values passed into a function or subroutine should be tested before being used and proper handling put in place if one is outside of bounds or invalid. For instance it is common practice for a function to return False if there was a problem.

Leaving error checking to a default handler, or assuming that a previous error check will handle everything is asking for disaster. Do your own error checking, do it all the time, do it every time.

Comments :

No comments yet
  • Search For Articles