Page 356 - Open Soource Technologies 304.indd
P. 356
Web Technologies-I
Notes • Ensure that data filtering cannot be bypassed,
• Ensure that invalid data cannot be mistaken for valid data, and
• Identify the origin of data.
Opinions about how to ensure that data filtering cannot be bypassed vary, but there are two
general approaches that seem to be the most common, and both of these provide a sufficient
level of assurance.
The Dispatch Method
One method is to have a single PHP script available directly from the web (via URL). Everything
else is a module included with include or require as needed. This method usually requires that
a GET variable be passed along with every URL, identifying the task. This GET variable can be
considered the replacement for the script name that would be used in a more simplistic design.
For example:
http://example.org/dispatch.php?task=print_form
The file dispatch.php is the only file within document root. This allows a developer to do two
important things:
• Implement some global security measures at the top of dispatch.php and be assured that
these measures cannot be bypassed.
• Easily see that data filtering takes place when necessary, by focusing on the control flow
of a specific task.
To further explain this, consider the following example dispatch.php script:
<?php
/* Global security measures */
switch ($_GET[‘task’])
{
case ‘print_form’:
include ‘/inc/presentation/form.inc’;
break;
case ‘process_form’:
$form_valid = false;
include ‘/inc/logic/process.inc’;
if ($form_valid)
{
include ‘/inc/presentation/end.inc’;
}
else
{
350 LOVELY PROFESSIONAL UNIVERSITY
