Try Again if Input Is Invalid Java

VIEW MODULE CONTENT

USE THIS MODULE

Give this link to students

Input Validation –"All Input is Evil" – CS2

Background

Summary:

Any input that comes into a plan from an external source – such as a user typing at a keyboard or a network connection – can be the source of security concerns and disastrous bugs. All input should exist treated as potentially unsafe.

Description:

Most software packages rely on external input, either via the keyboard, network, or other external sources.  Generally, this input volition be of a specific blazon: for case, a user interface that requests a person's name expects a series of alphabetic characters. If programs are not carefully written, attackers can construct inputs that tin can cause malicious code to exist executed.

If video does not work, try refreshing the page:

Video by Summer Lagambi, Haley McComas, and Abbey Baker.

Risk – How Can It Happen?

All input data is a potential source of issues.  If input is not checked to verify that it has the correct blazon, format, and length, it can cause problems. Failure to validate input can lead to serious security risks such as integer error, buffer overflow, and SQL injections amid others.

Drawing used by permission of Dominik Joswig

Example of Occurrence:

A Norwegian woman mistyped her account number on an internet banking system. Instead of typing her 11-digit account number, she accidentally typed an extra digit, for a total of 12 numbers. The system discarded the extra digit, and transferred  $100,000 to the (wrong) business relationship given by the eleven remaining numbers.   A simple dialog box informing her that she had typed too many digits may have avoided this expensive error.Olsen, Kai. "The $100,000 Keying error" IEEE Figurer, August 2008

Case in Code:

This program returns the foursquare of an input number from a stored array.

import coffee.util.Scanner; public class InputValidationExample {    public static void main(Cord[] args) {     int[] vals = new int[x];      for (int i = 0; i < 10; i++) {       vals[i] = (i+1)*(i+1);     }      System.out.impress("Please type a number: ");     Scanner sc = new Scanner(System.in);     int which = sc.nextInt();      int square = vals[which-1];     Organization.out.println("The square of "+which+" is "+square);   } }        

This programme has 2 input validation problems. The first trouble occurs if the user inputs a non-integer value. In Coffee, this causes a NumberFormatException to be thrown. The second problem occurs if the user enters a value that does not lie between 0 and 9. In Coffee, this will lead to an ArrayIndexOutOfBoundsException. A robust program would grab this error, provide a clear and advisable error message, and ask the user to re-type their input.

How can I properly validate input?

Check your input: The basic rule is for input validation is to bank check that input data matches all of the constraints that information technology must see to be used correctly in the given circumstance. In many cases, this can be very difficult: confirming that a gear up of digits is, in fact, a telephone number may require consideration of the many differing phone number formats used past countries around the world. Some of the checks that y'all might want to apply include:

• Type: Input information should be of the right type. Names should generally be alphabetic, numbers numeric. Punctuation and other uncommon characters are particularly troubling, as they can often be used to form the basis of code-injection attacks. Many programs will handle input information by bold that all input is of string class, verifying that the string contains advisable characters, and then converting the string into the desired information type.
• Range: Verify that numbers are within a range of possible values: For instance, the calendar month of a person's appointment of birth should lie between i and 12. Another common range cheque involves values that may lead to partitioning past zero errors.
• Plausibility: Check that values make sense: a person's age shouldn't be less than 0 or more than 150.
• Presence check: Guarantee presence of important data – the omission of important data tin can exist seen as an input validation error.
• Length: Input that is either too long or too short will not be legitimate. Phone numbers by and large don't have 39 digits; Social Security Numbers have exactly 9
• Format: Dates, credit card numbers, and other information types have limitations on the number of digits and any other characters used for separation. For example, dates are unremarkably specified by 2 digits for the calendar month, 1 or ii for the 24-hour interval, and either 2 or four for the year.
• Checksums: Identification numbers such as banking concern accounts, oft have cheque digits: boosted digits included at the cease of a number to provide a verifiability check. The cheque digit is determined by a calculation based on the remaining digits – if the check digit does not match the results of the calculation,either the ID is bad or the check digit is bad. In either example, the number should exist rejected as invalid.

Use appropriate language tools: The safety of tools that read user input varies beyond programming languages and systems. Some languages, such equally C and C++ take library calls that read user input into a grapheme buffer without checking the premises of that buffer, causing a both a buffer overflow and an input validation problem. Alternative libraries specifically designed with security in mind are oftentimes more than robust.

The pick of programming languages can play a role in the potential severity of input validation vulnerabilities. As strongly-typed languages, Java and C++ require that the type of data stored in a variable is known ahead of fourth dimension. This requirement leads to the blazon mismatch problem when, for example, a string such as "abcd" is typed in response to a request for an integer. Untyped languages such as Perl and Ruby do not have whatever such requirements – whatsoever variable can store whatsoever type of value. Of course, these languages do non eliminate validation problems – y'all may nevertheless run into trouble if you lot employ a cord to retrieve an item from an integer- indexed array. Some languages provide boosted aid in the form of built-in procedures that can be used to remove potentially damaging characters from input strings.

Recover Appropriately: A robust programme will answer to invalid input in a manner that is advisable, correct, and secure. For user input, this volition often hateful providing an informative error message and requesting re-entry of the data. Invalid input from other sources – such every bit a network connection – may require alternate measures. Capricious decisions such as truncating or otherwise reformatting information to "get in fit" should be avoided.

Laboratory Consignment

Program i

import java.util.*;  public class Input {     public static void main(String[] args) {     Scanner scan = new Scanner(System.in);      int sz = getArraySize(scan);     String[] names = getNames(scan,sz);      int which = getWhich(scan);     String aName = getName(which,names);      Arrangement.out.println("You lot choose name: "+aName);   }    public static int getArraySize(Scanner scan) {     System.out.print("How many names? ");     int n =  browse.nextInt();     scan.nextLine();     return n;   }    public static String[] getNames(Scanner browse, int sz) {     Cord[] names = new Cord[sz];     for (int i = 0; i < sz; i++ ){       Organisation.out.print("type proper noun # "+(i+one)+": ");       names[i] = scan.nextLine();     }     render names;   }    public static int getWhich(Scanner scan) {     System.out.impress("Which name: ");     int ten = scan.nextInt();     return x;   }    public static String getName(int northward,Cord[] vals) {       render vals[n-1];   } }        

Lab Questions:

1. Complete the security checklist for this plan. Submit marked program and completed checklist.
2. Listing the potential input validation errors.
3. Provide example inputs that might cause validation problems, and describe the issues that they might cause.
4. What happens if you blazon non-numeric characters for either the number of names or which name you wanted to retrieve?
5. Revise the plan * to properly validate input and gracefully recover from errors.

*Copying and pasting programs may consequence in syntax errors and other inconsistencies. It is recommended you type each program.

Plan 2 (optional - check with your instructor if y'all need to consummate this program)

Y'all're writing a program that volition be used to submit bid on items from an online sale site. Each item is bachelor in multiple lots – for example, at that place might be 100 boxes of crayons available. Your program must ask users for ii important pieces of information:

• The price that they are willing to pay for the item, given in dollars and cents.
• The quantity of that particular that they desire to bid on. This quantity must exist at least one, and information technology must be a whole number – it's not possible to buy fractional parts of an item.

Your program should validate the user input for both quantities. To do so, accept the following steps:

• Price of items
  1. Enquire the user to type the number of items
  2. Read this value into a cord
  3. Write a routine that will examine the cord to verify that it contains a number that can be a legal corporeality of money. This cord must contain:
     • Some number of integers (possibly cypher) – the number of dollars
     • An optional decimal indicate
     • Some number of integers (possibly zero) - the number of cents
     • There must exist at least one digit in the number. Thus, "12.34", "12", and ".34", are all valid prices, but "12,34" and '." are not. To examine all of the characters in the string, you tin can the charAt(i) method from the string class. You tin can check each grapheme in the string to run across that it is either a decimal or an integer. Yous should likewise check to make sure that there are not multiple decimal points.

  This routine should return a boolean value that is truthful if the cord is a legitimate price and fake otherwise.

  4. If the value provided is not legitimate, print an mistake message.
  5. If the value is legitimate, catechumen it into a float by using

  Float f = Float.parseFloat(s)              

  if s is the string that the user typed.

• Number of items: This will be similar to the price, but yous must simply bank check for whole numbers – no decimals immune. The quantity must be greater than or equal to one. You will catechumen the result to an int (using Integer.parseInt(southward) ), not a float.
• An interactive loop: put these two checks in a loop that will inquire for both values, check both to see if they are valid, and then repeat requests for any values that are non valid. The easiest mode to do this is probably to have two boolean values , one for each input quantity. These values will correspond the validity of the input quantities. You will stay in an input loop as long equally at least one of them is fake. When this is the case, you will and so check the values to see which is false (i.e., invalid) . If a value is not valid, you will echo the prompt and validate the response. This will continue until both are valid.

Security Checklist

Security Checklist
Vulnerability:Input Validation Course: CS2
Task - Bank check each line of code	Completed
one. Mark each variable that receives external input with a Five
For each statement that is marked with a V, verify that the variable is checked for each of these criteria. Note whatever that is not checked for:
one. Length
ii  Range (reasonableness?)
three. Format
four. Type
Shaded areas indicate vulnerabilities!

Discussion Questions

1. Y'all're writing a plan that asks the user to type in a telephone number. How might you validate that the characters that they've typed stand for a legal telephone number? You should assume that you're only concerned about phone numbers from the The states, simply you want to give users as much flexibility as possible, in terms of spaces and punctuation characters. List some rules that y'all might utilize. Make sure that you complete this question before moving on to question #2.
2. Find an example of a phone number that doesn't fit your rules.
3. Draw either an example of an input validation problem that you lot may take encountered. If you lot tin can't recollect having any sort of problem, effort some spider web pages or other software tools – try to discover a organization that fails to validate input information correctly.

Further Work (optional - check with your instructor if you lot need to answer the following questions)

1. If input is sufficiently cryptic, it might be hard to provide useful error letters in responses to invalid input. Describe some strategies that might be used to help users recover from invalid input.
2. Revisit Plan 2. Are at that place any inputs that the above clarification accepts as valid that perhaps should exist considered invalid? If so, what are they and how might you handle them?

Olsen, Kai. "The $100,000 Keying mistake" IEEE Computer, August 2008

kaplanbuttere.blogspot.com

Source: https://cisserv1.towson.edu/~cssecinj/modules/cs2/input-validation-cs2-java/

Share this post