Let's pretend that you had the task of creating a URL (e.g. a single web page) which receives input (e.g. GET and/or POST) and must clean and safely store that input to a database. In addition, it must be easy to send data to that URL from nearly any application, regardless of the language it's written in.
How would you get this task accomplished in a safe manner?
(I'm thinking of the Pit of Success, as opposed to easily throwing together a PHP script which leaves me wide open to SQL injection.)
EDIT: I've changed the title and some keywords in response to some answers. I was posting this question as a discussion of security and safety for those who may be new to web dev. I am not talking about securing all levels to a paranoid extent, just ensuring minimum security in the handling of user input. The answers I envisioned, in addition to security discussions, would be examples of code which accomplishes the stated task. I will provide my own answer (in PHP) as an example of what I mean.
Also, I am hoping this will become a community wiki.
As promised, here is an example of taking input and storing it in a mysql database in what I believe is a secure manner (at least, it is supposed to prevent SQL injection problems). Please correct me if I am wrong. (Note, the only input is from the msg
variable, which could be from GET, POST, or a cookie.)
<?php
try {
$db = new PDO('mysql:host=$hostUri;dbname=$dbName', $user, $pass, array(
PDO::ATTR_PERSISTENT => true
));
$s = $db->prepare("INSERT INTO $dbName.$tableName (message) VALUES (:msg)");
$dbData = array(':msg' => $_REQUEST['msg']);
$s->execute($dbData);
print "Added to database";
} catch (PDOException $e) {
// Sensitive information can be displayed if this exception isn't handled
//print "Error!: " . $e->getMessage() . "<br/>";
die("PDO error");
}
?>
More information on PDO in PHP.
This code could be called by simply including the variable in the URL (e.g. http://example.com/?msg=MyMessage
) or by code (example below is in C#, thanks to this answer).
using (var client = new System.Net.WebClient())
{
byte[] response = client.UploadValues(
"http://example.com/",
new System.Collections.Specialized.NameValueCollection { { "msg", "MyMessage" }});
Console.WriteLine(System.Text.Encoding.UTF8.GetString(response));
}