Validating by White List approval

White listing refers to having input compared to an approved list and then rejecting what ever isn't on it. Like when you go to a concert and you are trying to get backstage, if you're name isn't on the VIP list or you don't have a pass you cant get in. In this instance, your name is compared to the list of valid people allowed backstage. If your name doesn't appear you tossed aside. Sucks right but when your talking about building a web app it can be one of the methods that separate you from being attacked.

Just like in this example. The user has supplied an email for input. Assume that the input is validated by a PREG_MATCH() function that ensures the validity of the $_POST['email'] associated array.


<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Example of Whitelist Validation</title>
</head>

<body>
<h2>Example of Whitelist Validation</h2>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<label for="txtemail">Email</label>
<input name="email" type="text" id="txtemail" maxlength="50" value="<?php if(isset($_POST['email']) ) echo $_POST['email']; ?>" />
<br />
<input type="submit" value="Submit" name="action" />
</form>

<?php

//...PREG_MATCH email validation
if (isset($_POST['email']) ){
$input_email = strtolower($_POST['email']);

mysql_connect("localhost", "dummy", "123456") or die("Unable to connect to database") ;
mysql_select_db("Attendees") or die ("Cannot select database or doesnot exist");
$result_id = mysql_query("SELECT email FROM tblContacts WHERE entry =1")or die ("Cannot query the database");

$approved_email_array=array();
while($row=mysql_fetch_array($result_id) ){
array_push($approved_email_array, $row);
}

if ( !empty($input_email) ) {
if (!in_array($input_email, $approved_email_array) ){
echo ("The email you have provided was not on the list. Good bye.");
} else{
echo ("<b>Welcome $input_email, please wait...</b>");
header('refresh 5; ../welcome.php');
}
} else{
echo ("Your email was not provided;");
}
}
?>
</body>
</html>


Explanation: Lets say you have a list email addresses stored in a MySQL database that your web application uses to processed to the next page.

1. You place the email provided by the user in a variable and set it to lower-case. The reason is because the in_array() method that we are going to use is case-sensitive for string values (assuming the values are lower-case form in your database as well).
   
2. You then place the approved emails (entry column from tblContacts is a Boolean value that determines if the email is approved or not) values in the database in an array with array_push() method. Place the elements retrieved in the $approved_email_array.
   
3. Error Handling 1: If the value of user input is not empty proceed with the contents of the if branch, if not proceed to the else branch.
4. Error Handling 2: If the user inputted email is not in the approved array then display an error message or else redirect the user to a welcome page.

Hope this helps you make more secure scripts.