Contest Considerations from a Technical Perspective

Eric Grimm, Senior Programmer, offers up this advice if you run a contest asking for user generated content.

I’m going to focus on some UGC (user generated content) aspects from a programming and security side of the equation. Now repeat after me: NEVER TRUST USER INPUT! This is true with a simple form that only collects names and addresses, but requires even more caution when you are allowing large blocks of text, or for your audience to upload scary files as part of a contest entry from their computers or wherever those files may reside.

Name, address, and similar fields are a bit easier to manage threat levels because it makes more sense to limit character counts so malicious content has less room to hide. But if you’re allowing free-form essays, then untold dangers could be hidden in the text. Most programming languages have libraries to minimize or eliminate these dangers, so make sure your application developers are using these functions. This is of utmost importance if the content may be redisplayed on a web page (such as in a moderation/judging tool or in a gallery of featured entries). If the text isn’t handled properly, then malicious scripts may be allowed to execute, leading to all sorts of mischief.

File uploads like photos or videos are even more dangerous. It’s trivial to rename ‘virus.exe’ to ‘sparkle_ponies.jpg’ and upload this ‘image’ to your server. If this file is uploaded as-is to a location on your server that’s easily guessed (yoursite.com/gallery/sparkle_ponies.jpg, for example), then the attacker can simply call that URL and wreak havoc remotely.

Here are a few things to keep in mind if you are setting up a contest, or to make sure your programming team is doing:

Upload user files to a location outside your web root, limiting files to accepted types as best you can at this point of interaction.
Inspect the file to make sure it’s an accepted format. Extensions can be faked, so again, use the tools exposed by your programming language to inspect the actual content or MIME (Multipurpose Internet Mail Extensions) type of the file.
If the file is suspicious, DELETE IT! Make the user aware of this action via an error message. Keep it vague, such as “Please make sure your file is an accepted type (.jpg, .gif or .png) and does not exceed 5MB in size.”
If the file is acceptable, RENAME IT to something obscure, such as a hash of the original file name and a timestamp – so sparkle_ponies.jpg becomes ACAF26B4F763B586B89D8A3D2BCF0B5FECEDF20A.jpg.
Only then should you move the file to a web-accessible location (yoursite.com/gallery/ACAF26B4F763B586B89D8A3D2BCF0B5FECEDF20A.jpg) for moderation, gallery or voting purposes.

These are just some of the techniques Marden-Kane uses to ensure your contest goes smoothly. Contact us if you need help with your next contest.

To read more posts by Marden-Kane, please visit our main blog page or subscribe to our email list.

Share:

Leave Nothing to Chance

Schedule a consultation with our team and let’s make things happen!

Contact us

Who We Are

Marden-Kane is one of the nation’s foremost promotional marketing service providers. For over 65 years, we’ve supported leading brands to create the best promotional experiences for their most valued customers.

Contact Info

Marden Kane, Inc
575 Underhill Blvd. Suite 222
Syosset, NY 11791-3416

join our Newsletter

Sign up for our newsletter to enjoy marketing tips, inspirations, and more.

Email

Privacy Policy | Opt-Out

Linkedin-in Facebook Instagram

Share:

Good Criteria for Judging a Contest

Criteria for Judging a Photo Contest

The Difference Between Sweepstakes and Contests

Send Us A Message

Good Criteria for Judging a Contest

What is Promotional Marketing?

Criteria for Judging a Photo Contest

The Difference Between Sweepstakes and Contests