# Exploit Mitigation

> All User Input is Evil

## Web Mitigations

### Uploads

* Validate the following
    * Content-Type
    * File Extension
    * Magic File Number
    * Maximum File Size
* Rename the file randomly
* Scan for Malware
* Use Path objects instead of Strings
* Save uploads outside of the web root

### Database SQLi 

* Typecasting of variables inserted
* Prepared Statements

### HTML5 Input & Forms

* An `<input>` field can provide a pattern which checks for regex. In a free text field regex is not sufficient, therefore whitelist allowed characters.
* Use `type` attribute of `<input>` to set the type of the values
* Requirements on the inputs can be done in the following ways of `required <attributes>`:
    * `minlength`
    * `maxlength`
    * `size`
    * `min`
    * `max`
    * `pattern`

### PHP Input Backend

* `htmlentities()` escapes characters
```sh
$name = htmlentities($_GET['name'], ENT_QUOTES | ENT_HTML5, "UTF-8")
```
* Use HTMLPurifier
* Use `intval()` to typecast, e.g. ids
```