Common Pitfalls

Below are common pitfalls with web development. Are your applications aware of these?

• Public directories must only contain files which should be accessed by the user. All other scripts must be stored in a non-accessible place. Many off-the-shelf packages use a file in a public directory to store database connection information. Example
  
• Never trust user input. All fields entered by a user or read from a URL must be validated to ensure the data is correct. Further Info. Example
• Never use untrusted input to create SQL statements. This can lead your site open to injection attacks. Database access should be via stored procedures or parameterised queries. Example
  
• Many sites just use javascript to validate form fields. The same checks should be done on the server for users with Javascript turned off or for attacks bypassing the checks.
  
• Applications must behave gracefully if a user submits the same form twice or uses the back button of refresh to follow an unexpected route through a site.
  
• Certain characters can have special meaning for databases.  These characters must be escaped to stop errors ' / \
  
• Users may try to embed HTML into form fields (eg. entering <b></b>). This should be trapped.