Code Responsibly-- How Can I Properly Validate nput? heck all input: Below is a

Question

Code Responsibly-- How Can I Properly Validate nput? heck all input: Below is a partial list of some checks to include: . Type check input should be checked to ensure it is the datatype expected, e.g., age must be integer . Length check: variables are checked to ensure they are the appropriate length, for example, a US telephone number has 10 digits. Range check-numbers checked to ensure they are within a range of possible values, for example, the value for month should lie between 1 and 12 Reasonable check: values are checked for their reasonableness, e.g. (age> 16) && (age 100) Divide by Zero: variables are checked for values that might cause problems such as division by zero. .Format check - Checks that the data is in a specified format (template), e.g, dates have to be in the format DD/MM/YYYY Input checking can be difficult. Checking a telephone number may require consideration of the many differing telephone formats used by countries around the world. Recover Appropriately A robust program will respond to invalid input in a manner that is appropriate correct, and secure. When your program runs across invalid input, it should recover as much as possible and then repeat the request, or otherwise continue on. Arbitrary decisions such as truncating or otherwise reformatting data to "make it fit" should be avoided. The following method shows input validation to check range and/or reasonableness: in ValidNum(int min, ?nt max) int value; sin value; while ((value max)) cout

Explanation / Answer

1. age should be checked for reasonableness as the person usually will not leave above 100 years and then no person can have an age of 0. The reasonable check cannot perform on first name and city. You cannot say the name "Shashi" and city "Chennai" is not reasonable just because you don't know the place. The itemPrice can fall in both reasonable and range check. You cannot have an item with a negative price.

2. A Social Security Number consists of nine numbers, usually written as three fields parted by hyphens: KKK-VV-RRRR. The first three-digit field is called the "area number". The central, two-digit field is called the "group number" and last three digits represents "Serial Number". Format check must be applied to SSN number as it follows a specific format. national debt and telephone numbers cannot be checked in a specific format as it might be represented in different ways by different countries. birthdate must be checked format say that you wanted to store the date in mm/dd/yy format.

3. BMI calculator

#include<stdio.h>
void main()
{
float pounds,height,bmi;
printf("Enter weight in pounds and height in inches");
scanf("%f%f",&pounds,&height);
bmi=pounds/(height*height)*703;
printf("bmi: %f",bmi);
}

Variables that are input are weight (Pounds) and Height (inches)

Weight in pounds can have a max length of 3 before fractions and height can have a max length of 2 before fractions.

The range can be checked for both weight and height. You cannot have a weight of -10 and weight greater than 800 pounds (Usually) similarly for height.

The format can be checked for both weight and height. They usually represented in floating points. Ex:150.3456 pounds

Type should be checked for both weight and height. It can have only numeric values.

4. Each time a new file is created on Windows, the operating system also creates an MS-DOS-compatible short file name in 8.3 formats. For example, say an SQL backup file created with the complex file name so that attacker cannot guess it. Let’s assume that this file name is: backup 08211jhbdhjdfb9f75623eb7abhbvfdgvdjd7bf357698ff66c.sql. Windows will create a short name for this file, BACKUP~1.SQL. If I can access this file using the short file name then all the security is broken. This how filenames are vulnerable to attacks.

5. Defense in depth is a security strategy which consists of several security layers. If an attacker attacks one layer, another layer protects the system. The input validation also ensures that it will receive only proper data defined by the developer [Viruses contains a hash, special characters etc.]. If the attacker uses different input, the system will not let you take that input and your system is protected by rejecting that input which may contain malicious code.

6. Yes, adding integer and string or special characters will lead to integer errors. Say you want to add 2 numbers. You must validate both the numbers. You should not restrict your validation only on one number.

7. Arrays are usually static. Trying to store element beyond the capacity causes integer overflow. In order to check integer overflow, before inserting an element the index must be checked to see whether it comes within the range. Therefore it increases the complexity, as each time you need to check but division by zero can be checked easily

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.