Contest Considerations from a Technical Perspective

 

Eric Grimm, Senior Programmer, offers up this advice if you run a contest asking for user generated content.

I’m going to focus on some UGC (user generated content) aspects from a programming and security side of the equation. Now repeat after me: NEVER TRUST USER INPUT! This is true with a simple form that only collects names and addresses, but requires even more caution when you are allowing large blocks of text, or for your audience to upload scary files as part of a contest entry from their computers or wherever those files may reside.

Name, address, and similar fields are a bit easier to manage threat levels because it makes more sense to limit character counts so malicious content has less room to hide. But if you’re allowing free-form essays, then untold dangers could be hidden in the text. Most programming languages have libraries to minimize or eliminate these dangers, so make sure your application developers are using these functions. This is of utmost importance if the content may be redisplayed on a web page (such as in a moderation/judging tool or in a gallery of featured entries). If the text isn’t handled properly, then malicious scripts may be allowed to execute, leading to all sorts of mischief.

File uploads like photos or videos are even more dangerous. It’s trivial to rename ‘virus.exe’ to ‘sparkle_ponies.jpg’ and upload this ‘image’ to your server. If this file is uploaded as-is to a location on your server that’s easily guessed (yoursite.com/gallery/sparkle_ponies.jpg, for example), then the attacker can simply call that URL and wreak havoc remotely.

be careful what you put in your database

Here are a few things to keep in mind if you are setting up a contest, or to make sure your programming team is doing:

  • Upload user files to a location outside your web root, limiting files to accepted types as best you can at this point of interaction.
  • Inspect the file to make sure it’s an accepted format. Extensions can be faked, so again, use the tools exposed by your programming language to inspect the actual content or MIME (Multipurpose Internet Mail Extensions) type of the file.
  • If the file is suspicious, DELETE IT! Make the user aware of this action via an error message. Keep it vague, such as “Please make sure your file is an accepted type (.jpg, .gif or .png) and does not exceed 5MB in size.”
  • If the file is acceptable, RENAME IT to something obscure, such as a hash of the original file name and a timestamp – so sparkle_ponies.jpg becomes ACAF26B4F763B586B89D8A3D2BCF0B5FECEDF20A.jpg.
  • Only then should you move the file to a web-accessible location (yoursite.com/gallery/ACAF26B4F763B586B89D8A3D2BCF0B5FECEDF20A.jpg) for moderation, gallery or voting purposes.

These are just some of the techniques Marden-Kane uses to ensure your contest goes smoothly. Contact us if you need help with your next contest.

To read more posts by Marden-Kane, please visit our main blog page or subscribe to our email list.